Skip to main content

How is security handled with third-party applications?

Procore API Security

Procore customers may inquire about how security is handled for applications and integrations built by third-party developers using the Procore API. Procore employs what many consider the industry standard for API authentication - OAuth 2.0. The OAuth 2.0 authentication framework provides a secure means of authorizing and authenticating access to user data for third-party applications. OAuth 2.0 relies on SSL (Secure Sockets Layer) to ensure data transfer between the web server and browsers remains private and is kept safe. OAuth 2.0 protects Procore user data by providing access without revealing the identity of the user. Third-party applications make requests on behalf of the user without accessing passwords and other sensitive information.

Developers building solutions with the Procore API implement one of several OAuth 2.0 authorisation grant types depending on their particular application use case. The OAuth 2.0 grant types supported by the Procore API rely on the use of encrypted tokens which are string values that represent the authorisation and authentication of a specific application to access data in Procore on behalf of a Procore user. 

Additional Considerations

App Management

Company administrators can also play a role in promoting good security practices though proper App Management. Company administrators use the App Management feature in the company level Admin tool to perform a variety of tasks related to installing and managing Apps, as well as configuring them for use in projects. Company administrators have complete control over which Apps are installed in a company and oversee App usage in projects. App installation may be delegated by enabling the Allow User Installs option.

Service Accounts

A number of integrations built to work with Procore utilise Service Accounts to handle authorisation and authentication. Services Accounts allow you to support integrations that require the Client Credentials grant flow as defined in the OAuth 2.0 Specification. In this scenario, applications need a way to retrieve an OAuth 2.0 access token outside the context of any specific Procore user. OAuth 2.0 provides the Client Credentials grant type for this purpose. A unique client_id and client_secret is generated when a new Service Account is created by a company administrator. After the Service Account is created, a company administrator can Configure Service Account Permissions to define specifically how the integration will access data in Procore and which actions are allowed.

Application and user credentials in Procore are protected from any malicious actors in the same manner in which all of our other data is protected. Although all third-party developers agree to the Procore Developer Portal Terms of Use, their own security practices are not specifically known to us in all cases.