This page documents OAuth endpoints used by Tools web integrations.
oauth.slack.start/oauth/slack/startGET or POSTauth:webStarts the Slack OAuth flow and redirects to Slack oauth/v2/authorize.
oauth.slack.callback/oauth/slack/callbackGETauth:webSlack redirects back here with code and state.
oauth.slack.callback-url/oauth/slack/callback-urlGETauth:webReturns the currently computed callback URL in JSON:
{
"callback_url": "https://tools.tornevall.com/oauth/slack/callback"
}
oauth.soundcloud.start/oauth/soundcloud/startPOSTauth:webExpected payload:
{
"provider_app_id": 1,
"target_owner_type": "system",
"target_owner_id": null
}
oauth.soundcloud.callback/oauth/soundcloud/callbackGETauth:webReceives provider callback values (state, code, error, error_description).
oauth.microsoft_todo.start/oauth/microsoft-todo/startPOSTauth:webStarts the Microsoft OAuth flow for the currently logged-in user.
oauth.microsoft_todo.callback/oauth/microsoft-todo/callbackGETauth:webReceives provider callback values (state, code, error, error_description) and stores the per-user Microsoft To Do connection.
The current X mention-bot does not complete a browser-based OAuth exchange. It still uses static server-side X_BOT_* credentials from .env.
If you receive X OAuth 2.0 client credentials during app setup, store them in:
X_OAUTH2_CLIENT_IDX_OAUTH2_CLIENT_SECRETX_OAUTH2_REDIRECT_URIIf the X dashboard also shows generated OAuth 2.0 user tokens, store them in:
X_OAUTH2_ACCESS_TOKENX_OAUTH2_REFRESH_TOKENThose are reserved for a future callback-driven OAuth2 flow and are separate from the current OAuth1-style posting credentials X_BOT_ACCESS_TOKEN and X_BOT_ACCESS_TOKEN_SECRET.
However, Tools now exposes a public callback placeholder so there is a real URL available for X app registration when a callback field is required:
oauth.x.callback/oauth/x/callbackGETThis route currently acts as an informational landing page and placeholder only. It does not yet exchange or store X OAuth tokens.
oauth.x.callback-url/oauth/x/callback-urlGETReturns JSON containing the currently computed X callback URL.
For Slack app configuration, use:
https://tools.tornevall.com/oauth/slack/callbackhttps://tools.tornevall.net/oauth/slack/callbackIf SLACK_REDIRECT_URI is configured, that value is used as the effective redirect URI and should be registered in Slack App settings.
For Microsoft To Do / Microsoft Graph app configuration, register the callback matching the current environment:
https://tools.tornevall.com/oauth/microsoft-todo/callbackhttps://tools.tornevall.net/oauth/microsoft-todo/callbackIf MICROSOFT_TODO_REDIRECT_URI is configured, that value becomes the effective redirect URI and should be registered in the Microsoft Entra app as well.
For X app registration, if you need a callback URL field even though the current bot uses static credentials, use:
https://tools.tornevall.com/oauth/x/callbackhttps://tools.tornevall.net/oauth/x/callbackWhen the Microsoft To Do platform app is not environment-managed, the shared app settings can now also be saved from /settings/integrations/microsoft-todo by an acknowledged admin. The page shows the same recommended callback URL together with additive diagnostics about missing platform-app fields.