Introducing Pizzly - the OAuth Integration Proxy

At Bearer, the whole team is focused on helping developers that rely on third-party APIs. In 2019, our engineers developed a solution that eased the integration with any API that uses OAuth as the authentication method.

By handling both the authentication strategy (with refresh tokens) as well as proxying the request, it saved hours of engineering time when working with API integrations.

As we believe no developers should ever have to spend hours dealing with the ins and outs of integrating OAuth API, we’ve decided to fully open-source our tool. Introducing Pizzly: The OAuth Integration Proxy.

What is Pizzly?

Pizzly is an OAuth Integration Proxy. It provides everything a developer needs to easily consume an OAuth-based API (aka an API that uses OAuth as the authentication method).

Most APIs now use the OAuth framework to authorize an application that wants to access a user's data. One of the main reasons is that OAuth provides the best user experience while being very secure. But one thing has been totally forgotten in the OAuth framework: the developer experience.

It is much more difficult for a developer to use an OAuth based API than it is to use an API that relies on an API Key. Try timing yourself on how long it takes to integrate with two APIs. Let's see how long it takes to have your first successful request to the Stripe API compared to the Google Sheets API.

Time To First API Call (TTFAC) chart without Pizzly
Time To First API Call (TTFAC) without Pizzly

It took me around 43 minutes and 19 seconds to perform an authenticated request to Google Sheets starting from scratch (source). And only 5 minutes for Stripe (source). We should change that.

Pizzly aims to provide the best developer experience when using an OAuth-based API. One of its power-features is that it completely handles the OAuth-dance (including refreshing a token), meaning a developer can focus on requesting endpoints without spending hours dealing with authentication.

Here's the same test using Pizzly:

Time To First API Call (TTFAC) with Pizzly

It took me almost the same amount of time (5 min vs 7 min) to perform an authenticated request to the Google Sheets API compared with Stripe, starting from scratch with Pizzly. Again, here's the source. And contrary to the previous test, using Pizzly means the token will be refreshed once expired.

How does it work?

Pizzly provides multiple tools to help developers with their API integrations, including:

  • an auth service - to handle the OAuth-dance;
  • a proxy - to make authenticated requests to an API;
  • a dashboard - to enable and configure APIs;
  • a JS library - to connect a user from your frontend.

The two major services are Auth and Proxy:

  1. The auth service handles the OAuth-dance and generates what is called an authId each time a user has successfully authorized your OAuth application. The authId acts as a reference to the OAuth payload (i.e. access token and refresh token). While the access token and refresh token expire and change over time, the authId is always the same. Think of it as something like a user identity.
  2. The proxy service forwards HTTP requests to the third-party APIs. To authenticate the request, the developer sends the authId alongside. This tells the proxy service to transform the request and authenticate it with the right access token. In case it has expired, Pizzly will refresh the token and retry the request.

Another great tool that Pizzly brings is the dashboard.

The dashboard lets you configure your integrations, test them, and look at what's happening.

How to use it?

Pizzly is self-hosted, meaning you can install it on your machine or any platform-as-a-service (e.g. Heroku, AWS, etc.). Here's a guide on how to get started.

Once installed, enable an API from the list and trigger a complete OAuth-dance in a few lines of code using the Pizzly JS library:

// Initialize Pizzly
const pizzly = new Pizzly({ host: "pizzly.example.org" }) 
const api = pizzly.integration('api')

// Connect a user to an API
api
  .connect()
  .then(({ authId }) => console.log("Sucessfully connected!", authId))
  .catch((error) => console.error("It failed!", error))

When a user is successfully connected, you retrieve an authId that you can use to make authenticated requests to the API. Here's a cURL on how to make a request to the Google Sheets API to create a spreadsheet on the user's drive:

curl -X POST /proxy/google-sheets/ \\
 -H "Pizzly-Auth-Id: REPLACE-WITH-YOUR-AUTH-ID"

No matter what your backend is running on (Ruby, Go, Node.js), send your requests to the proxy. It makes integrating APIs much faster. You can even perform your calls from your frontend, with the JS client.

How it can help you?

https://raw.githubusercontent.com/Bearer/Pizzly/master/views/assets/img/docs/pizzly-preconfigured-apis.jpg

Pizzly supports more than 50 APIs out-of-the-box. All you need to do is set your credentials and scopes in the dashboard. This list includes the most common APIs, such as:

  • Communication APIs: Gmail, Microsoft Teams, Slack, Zoom;
  • CRM: Front, Hubspot, Salesforce, etc.
  • Developer tools: BitBucket, GitHub, GitLab, etc.
  • Finance APIs: Xero, Sellsy, Zoho Books, etc.
  • Productivity: Asana, Google Drive, Google Sheets, Jira, Trello, etc.
  • Social APIs: Facebook, LinkedIn, Reddit, etc.
  • and more...

But that's not all. Each pre-configured API is a .json file located within the /integrations/ folder. So if you want an API that is not pre-configured yet, you can set up the configuration as a new .json file within that directory. If ever you feel like sharing, create a new PR to share your own configuration with the community.

What's next?

Pizzly is a full part of Bearer and we keep contributing to the project on a daily basis. We even use it as part of our internal tools to handle third-party integrations, like Slack.

We hope that it will become a part of your stack and help you offer many more integrations, more easily, to your customers.

To learn more about Pizzly:

You may also like

Consume APIs. Stay in Control.

Monitor, track performance, detect anomalies, and fix issues on your critical API usage.

Learn more Request Demo