Skip to main content

Overview

Omi uses an OAuth 2.0-like flow to allow third-party applications to access user data with explicit consent. This ensures users maintain control over their data and what applications can access.

User Consent

Users explicitly approve what data your app can access

Secure Token Exchange

Firebase authentication ensures secure identity verification

Prerequisites

Before implementing OAuth, ensure you have:

Register Your App

Your app must be registered with Omi and have an App ID

Configure App Home URL

Set your App Home URL in your app’s settings - this is where users are redirected after authorization

HTTPS Required

Your App Home URL must use HTTPS

OAuth Flow

Redirect User to Omi

Your app redirects the user to Omi’s authorization endpoint:
https://api.omi.me/v1/oauth/authorize?app_id=YOUR_APP_ID&state=YOUR_STATE
ParameterRequiredDescription
app_idYesYour application’s unique ID
stateNoOpaque value for CSRF protection and maintaining state
Always use the state parameter to prevent CSRF attacks. Generate a random string and verify it when the user returns.

User Authenticates & Consents

On the Omi authorization page, the user:
  1. Logs in with their Firebase credentials (Google or Apple)
  2. Reviews the permissions your app is requesting
  3. Grants or denies access
Example permissions shown to users:
  • “Engage in chat conversations with Omi”
  • “Access and manage your conversations”
  • “Process audio data in real-time”
  • “Create new conversations on your behalf”
  • “Access and read your stored memories”

Token Exchange

After user approval, Omi’s authorization page handles the token exchange internally:
POST https://api.omi.me/v1/oauth/token
Content-Type: application/x-www-form-urlencoded

firebase_id_token=FIREBASE_TOKEN&app_id=YOUR_APP_ID&state=YOUR_STATE
Response:
{
  "uid": "USER_UNIQUE_ID",
  "redirect_url": "YOUR_APP_HOME_URL",
  "state": "YOUR_STATE_IF_PROVIDED"
}
This step is handled automatically by Omi’s authorization page - you don’t need to implement this yourself.

User Redirected to Your App

The user’s browser is redirected to your App Home URL with query parameters:
https://your-app.com/callback?uid=USER_UNIQUE_ID&state=YOUR_STATE
Your app should:
  1. Validate the state parameter matches what you sent
  2. Store the uid for making API calls on behalf of the user

Handling the Callback

Example implementation for handling the OAuth callback: 
from fastapi import FastAPI, Request, HTTPException
from fastapi.responses import RedirectResponse
import secrets

app = FastAPI()

# Store state tokens (use Redis in production)
pending_states = {}

@app.get("/start-oauth")
async def start_oauth():
    # Generate CSRF token
    state = secrets.token_urlsafe(32)
    pending_states[state] = True

    # Redirect to Omi
    return RedirectResponse(
        f"https://api.omi.me/v1/oauth/authorize"
        f"?app_id=YOUR_APP_ID&state={state}"
    )

@app.get("/callback")
async def oauth_callback(uid: str, state: str):
    # Validate state
    if state not in pending_states:
        raise HTTPException(400, "Invalid state parameter")

    del pending_states[state]

    # Store uid for this user's session
    # Now you can make API calls with this uid
    return {"message": f"Successfully connected! User ID: {uid}"}

Automatic App Enablement

When a user completes the OAuth flow, Omi automatically attempts to enable your app for them.
Omi performs several checks before enabling:
CheckDescription
PrivacyIf app is private, only owner/testers can enable
Setup CompletionIf setup_completed_url is configured, it must return true
PaymentIf app is paid, user must have active subscription
If any check fails, the OAuth flow halts and shows an error to the user.
If your app requires setup (e.g., connecting to external services), configure a setup_completed_url:Request from Omi:
GET https://your-app.com/setup-status?uid=USER_ID
Expected Response:
{
  "is_setup_completed": true
}
Return false if the user hasn’t completed setup yet. Omi will show an appropriate message.
When a user successfully enables your public app through OAuth, the public install count is incremented (if applicable).

App Configuration

App ID

Unique identifier for your app, provided when you register

App Home URL

Where users are redirected after authorization (must be HTTPS)
Configure these settings in the Omi developer portal or during app submission:
FieldLocationDescription
App IDAuto-generatedYour unique application identifier
App Home URLexternal_integration.app_home_urlCallback URL after OAuth (HTTPS required)
Setup Completed URLexternal_integration.setup_completed_urlOptional endpoint to verify user setup

Security Best Practices

Always Use State

Generate a cryptographically random state parameter and validate it on callback to prevent CSRF attacks

Validate Origin

Ensure the uid came from a legitimate OAuth flow, not a forged request

Secure Storage

Store user uid values securely, treating them as sensitive credentials

HTTPS Only

Always use HTTPS for your App Home URL and all API communications
Never expose your App ID in client-side code where it could be extracted. While the App ID itself isn’t secret, it should be treated as sensitive for your integration’s integrity.

Troubleshooting

Possible causes:
  • App Home URL not configured or incorrect
  • App Home URL doesn’t use HTTPS
  • User denied permissions
Solution: Verify your App Home URL in the developer portal
Possible causes:
  • State expired before user completed flow
  • State not properly stored server-side
  • CSRF attack attempt
Solution: Implement proper session/state management with reasonable expiration
Possible causes:
  • setup_completed_url returning false or error
  • Endpoint not accessible from Omi servers
  • JSON response malformed
Solution: Test your endpoint directly and check server logs

Integration Apps

Build webhook-based integrations

Chat Tools

Add custom tools to Omi chat

Notifications

Send push notifications to users

Submit Your App

Publish your app to the store