Problems with authenticating an App

Hey guys

I’m trying to setup an app to authenticate with Speckle, so the app can make requests to Speckle on the behalf of users.
Currently the documentation on the subject is quite limited: Apps & Auth | Speckle Docs
I have created an app on my profile and gotten an App ID.

What I have so far is below :point_down:

export const authenticateWithSpeckle = () => {
  const appId = import.meta.env.VITE_SPECKLE_APP_ID || "";
  const challenge = Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);

  if (appId && challenge) {
    window.location.href = `${import.meta.env.VITE_SPECKLE_PROTOCOL}://${

However, when I’m redirected to Speckle, the Speckle page throws an error (TypeError: is null) in the console and nothing happens (I’m never redirected back to my page.)



Hi @chrk! :wave:t3:

Welcome to our community! If you’d like to, feel free to Introduce yourself 🙆 :wink:

As for your problem, not sure where this would be originating, but I suspect it may have to do with the way you appId variable is being set. Can you confirm that in fact the appId is being set correctly in the url?

I just did a quick test with a new app in and it the login+redirect worked with no errors and; since this may not be the reason for your error, let me ask you a couple more questions:

  • What server are you interacting with? Is it our .xyz one? Or do you have your own deployment
  • Could you send us the url you are being sent to? the appId is public anyway so you can just paste it here in the response. Maybe also a screenshot of what you’re seeing on the login page? Should be something like this

Thanks for the quick reply @AlanRynne !

Yes, the appId looks correct

I’m running on a local dev server. The container is running the 2.3.14 image

Hello @chrk ,
Quick questions just to cover some basic setup info:

  1. Are you running the setup with the docker-compose file from the documentation? Did you made any relevant changes? ( Deploying a Server - manual setup | Speckle Docs )
  2. What’s the CANONICAL_URL environment variable for the server container?
  3. I see you access the server via 172.30.* IP address, which is a common subnet for internal docker networks. Is that the docker container IP address, or your computer’s LAN IP address?


I also tried creating an app on a local server, then simply going to the URL mentioned there, replacing the appId, and it shows the permission dialog.

I also tested with an invalid appId, and it shows the same behavior as you are describing.

I also noticed that both the appId and appSecret are 10 characters long, maybe double check that you used the appId and not the app secret?


  1. yes, I’m running it with Docker-Compose with the required changes. The Speckle runs fine, I have several streams there and the access token systems works.
  2. The cononical_url is set to
  3. It is a local server on my office network


Are you still having issues? Have you double checked if you use the appId, and not the appSecret (they can be easily confused, as they have the same length)

To test just the server part (without your app involvement), you can just create an app and open the url in your browser:

You should see the permissions dialogue

1 Like

Yes, it is working now :slight_smile:
I actually didn’t change anything, but it anyhow works now

1 Like

Follow up question:
I get n access code back, which I exchange for a token pair (access and refresh) as per this

When the access token expires, what endpoint should I hit with the refresh token to get a new access token?

If I loose my refresh token (user logs out or clears browser) do I need to re-authenticate with speckle on {SPECKLE_URL}/authn/verify/{APP_ID}/{NEW_CHALLANGE}?

1 Like

Hi @chrk! Glad to know you got it working :slight_smile: As for your follow up questions:

You can generate a new token from using the refresh token by hitting the same endpoint used to exchange the access code :point_right:t3: /auth/token with only the refresh token in the body:

  refreshToken: YOUR_REFRESH_TOKEN

as opposed to the body that is passed in to exchange the access code, which looks like this:

  appId: YOUR_APP_ID
  appSecret: YOUR_APP_SECRET
  accessCode: YOUR_ACCESS_CODE

The response format does not change, so you don’t need to worry about different ways of handling the response :wink:

Yes :slight_smile: If you loose your refresh_token you effectively need to re-authenticate again. In the most basic cases (an app that only has speckle login) you may want to actually delete that data, as you don’t really want that lying around for someone else to find.

In more complex cases, such as apps with pre-existing login where what you want is to “link” a Speckle Account to the user, you may want to securely store them in a database so that even if your user logs out of your auth system, you wont have to continue to ask them to re-authorise speckle on their behalf.