Miro Integration in an App

  • 12 January 2022
  • 3 replies

My usage:

When user click the button in our app, I will create a board on Miro.


I checked the document: 

Step1: we will get the code after we authorize with the redirect url, this authorize will be completed by the real end user, right?

Step 2: we will get the access token by the code and return to our UI website

Step 3: we can pass the token from UI to our API and then access the create request. (we need the user to authenticate our App also)


My questions are:

Do we need/have the system account to get the access token?

If we want all of the authenticate and real create request get done in our backend, what I can do? 

Miro will redirect the code to our API, but with this call, there is no our app authenticate info, we cannot continue to request the other logic if no user authenticate info with our app.

3 replies

To generate a unique string with state parameter to identify it?

Then we need to cache the state string and check with the call back state parameter


This is an extra security measure used to prevent CSRF attacks.

Provide a random string as the state value in the request and then validate that the same state value was received after the user authorized the app.

For request-specific data, you can use the state parameter to store data that will be included after the user is redirected.

Sample value:

Userlevel 5
Badge +1

Hi @Fujing,


Miro REST API relies on OAuth2 for authorization (more information here).

It means that for every user using your application, you need the user to approve your app and allow you to do action in her/his name (like creating a board). The authorization process needs to be done once for every user, you can then store the access_token to get and use it for future requests.


Do we need/have the system account to get the access token?


Your backend needs to implement the OAuth2 flow as described in the API documentation. That will be part of your user flow to use your application.


You can find more information here as well.

@Anthony Roux Thank you for your reply

Let me confirm: Step 2 - Get the verification code (as a query parameter)

this code will get with the miro call back, right?


  1. if this callback redirect to my back_end, I will get the code and then I can get the access token with a new call, but with this request there is no authenticate info to my back_end server, right? 
  1. If this callback redirect to my API, and then redirect to my UI site (not sure if it is possible without UI page redirection), it means we will have 2 calls at least from my UI app to create the board, right?