Authentication
Authenticating with OAuth 2.0 using the VARIO App Framework
When you build your own Node.js backend (not using the demo app repository), you can still use the VARIO App Framework backend package to handle authentication for you.
At a high level:
Your app stores the VARIO Cloud credentials and refresh tokens.
The framework backend handles:
OAuth 2.0 refresh token grant
obtaining and caching access tokens
adding
Authorization: Bearer <access_token>to all VARIO API calls (GitHub)
You never have to call the token endpoint manually.
1. What you need before you start
To authenticate via the framework backend you need:
App credentials (AppClient) from the VARIO-Cloud Admin Center (see “Creating a new App and getting API credentials”):
appIdentifierclientIdclientSecret
One refresh token per VARIO-Cloud installation
Obtained once during the installation/authorization flow of your app (e.g. on your
pcInstallationUrl).Stored securely in your own database or configuration.
Base URLs for your environment
VARIO Cloud API base URL (business API)
OAuth 2.0 token endpoint URL
The framework will use clientId, clientSecret, and the installation-specific refreshToken to obtain access tokens via grant_type=refresh_token.
2. Install the framework backend
In your Node.js backend project:
The backend package is responsible for API communication and authentication. (libraries.io)
The frontend package (
@vario-software/vario-app-framework-frontend) is optional here and only relevant for styling/JS helpers in your UI.
3. Provide configuration: app client + installations
Your app needs a way to provide two types of data to the framework:
Static app client config (same for all installations):
You can use an
app-client.jsonfile (similar to the demo app) or environment variables. The demo app reads this file at startup and passes the values into the framework.Installation-specific refresh tokens
For each customer/tenant installation:
You receive a refresh token during the app installation/authorization flow.
You store it in a database table like
app_installations:installation_idrefresh_tokenmaybe also tenant-specific URLs / metadata.
4. Initialize the framework backend
In your backend, create a module responsible for wiring your configuration into the framework.
Example structure:
5. Use the framework client in your own routes
Once you have a helper like getVarioClient(installationId), you can use it inside your Express (or Fastify, etc.) route handlers.
Example (pseudo-code with Express):
From your app’s perspective:
You never manually:
call the OAuth token endpoint
build
Authorizationheaderscheck expiry times
You always:
ask the framework to give you an API client for an installation
call
.get(),.post(), etc. on that client
Under the hood the framework:
Reads
clientId/clientSecret.Uses the installation’s
refreshTokento request an access token (grant_type=refresh_token).Caches the access token until it expires.
Sends the VARIO-Cloud API request with
Authorization: Bearer <access_token>.If the OAuth server returns a new
refresh_token, it callsonRefreshTokenUpdatedso you can persist it.
This is the same pattern that the demo app uses internally, only with its own wiring and file structure.
6. Summary
If you build your own app but still use the VARIO App Framework backend:
Create an App in VARIO Cloud and get
appIdentifier,clientId,clientSecret.Store one refresh token per installation when your app is installed/authorized.
Install the framework backend:
Initialize the framework with your app client config.
Create a helper (similar to the demo app) that:
loads the installation’s
refreshTokenasks the framework for an API client
persists rotated refresh tokens (if any)
Use that API client in all your route handlers instead of talking to the VARIO Cloud API directly.
You still use OAuth2 with the refresh-token grant type, but the framework hides all low-level token handling and keeps your own code focused on business logic.
Last updated
Was this helpful?