In sharing a web plugin with a team, do we need to “wrap” Miro REST calls on our application server (e.g. within a Node.js server), sending the authorization in the header for each service call?
Or can our plugin code remain as it is? Currently, our test plugin makes use of code like this, using the Miro API that gets loaded automatically in the context of the plugin:
Without OAuth, this works for the user who created and installed the plugin. However, though other team members can invoke the plugin, they don’t have the authorization for this command to work.
Basically, I’m wondering whether, for “web plugins” specifically, the OAuth flow is meant for a one-time installation by each team member, or whether the authentication has to be managed for each user every time they are using the plugin and/or whenever a specific Miro API is called.
Best answer by Boris Borodyansky
To use Web-Plugin scopes, your app can be installed without any backend.
All you need to do is check if user is authorised, and if not - suggest install the app providing a link of following structure: https://developers.miro.com/docs/how-to-start#section-3-install-your-web-plugin-to-any-miro-user
However, if you want to make other REST API calls and utilise users’ tokens, you would need to wrap those calls with a backend proxy.
Please let me know if this was helpful.