Oh, that's interesting, you have the same format I had.. So that got me thinking, and it just looks like the URL has to start with whatever I have configured as Callback URL in my API key.

I set the Callback URL to https://mysite.com/upwork-callback , so indeed the redirect_uri parameter works for mysite.com/upwork-callback and mysite.com/upwork-callback/test  ... BUT it doesn't work for mysite.com/upwork, and what's much worse, it doesn't work for staging.mysite.com/upwork-callback or mysite.test/upwork-callback.

So the question is - is there a way to avoid this limitation and allow passing a different domain? As currently I don't think so, and the "Callback URL" parameter in my domain key cannot be empty either.

So how shall I deal with mutliple environments? Please just don't tell me I have to register another two applications and wait another month for their approval *screeching teeth*

I hope you know that the next step is where you will get access_token and refresh_token which I think are valid for 24 hours.

Maybe it's best for you to cache token data on your Callback URL, which later can be called from your different environments.

Sure, I know I will get the tokens, but I am not sure I follow the other half.

Imagine I have one app running on my local on http://site.test , and one on server  https://site.com. I send the user to Upwork to authorize, but I need to specify where did he come from so she gets redirected to the correct domain. If I am authenticating from site.test, what good is to redirect user to site.com with the tokens? That won't authenticate me on site.test... 

So far I just see ugly options, like somehow manually copy the tokens, or log them somwhere and then manually copy to other environments, but that's ugly.. So how do I do it? Or do I really need to sign up for another app just to be able to insert another Callback domain?

Wouldn't it be at least possible to allow local domains like .test for the callback outside of the main Callback URL parameter? As seriously I am running out of ideas how to efficiently develop/test this outside of production server

I haven't really tested the options you mention so I can't say for sure (I only have access for a couple of weeks). I think that as long as you have a valid token, then you can make API calls from wherever you want.

Why is it an ugly option to save a token to some database or log file and retrieve that data from another environment?

I don't know if I'm understanding you properly, but can you add a querystring value to the callback url and then redirect based on that value?

Yes, you can, but apparently this URL has to be within the domain defined on your Upwork application key. So this parameter is somewhat useless - it serves the same purpose as the "Callback URL" field on your key, and cannot be changed to another domain like staging.yoursite.com. 

Actually you might be right, that could be an option. But that means there has to be one main environment that will be handling the redirects, some extra code to harvest the tokens and set up the redirect, again this feels pretty ugly to spoil the codebase unnecessarily. Also, considering how sensitive the tokens are, I don't really feel like going this way. I will probably just set up multiple application, each one with callback tailored to one environment, hopefully Upwork will approve them.

Hi Alper,

thanks, that pretty much confirms my thoughts. So I will just apply for another application key for my staging environment, and until it is approved, I will just be switching the domain on my single key as I need to. Fortunately at least this change is instant and I don't have to wait for any more approvals.

I am not happy about this, I would feel better having the same Upwork application key, that could be used from all environments properly using the redirect_uri parameter (which is imo kind of useless in its current form where it has to match the URL set on the api key). But well, if this is the best we can get, I can probably live with that.

Honestly I am not sure. As far as I've used OAuth2 (even in the case described above), the authentication flow always happened through the browser - sending user to upwork, let her confirm the connection if not already authenticated, send back and store keys in cache. Then whenever my app sees expired keys or connection not authenticating anymore, it just shows a message like like "Upwork disconnected" and a button that sends the visitor back to upwork to confirm again.

This reconfirmation doesn't require any mouseclicks or interaction on upwork, because Upwork already sees the app has been approved, so just gives me the keys and sends me back. But how I would do it without the browser I am not sure. There are refresh tokens, which I am using on daily basis to update my keys, but still occasionally the app reports as disconnected, so I just use this as a fallback. Not sure if there is anything better, but certainly would be nice. 

I think you will need to go through the browser to authenticate your application on the Upwork server.

I'm also not sure about the desktop project type, I'm using a web project. I use refresh tokens and it has never happened to me that I have to re-authenticate the application.

By the way, has anyone noticed that the buyer.op_tot_charge attribute is limited to 50,000 max. I’m not sure why there is a limit and how to get how much a client has spent on the Upwork platform if it's over $ 50K.

Hi Jason,

Thank you for your message. I will need to verify this information with our technical team. I'll have one of our customer support agents reach out to you directly to assist you further.

Thank you,

Pradeep