API key sent as client_secret in request body for /v3/connect/token #703
Description
Summary
During OAuth token exchange (/v3/connect/token), the Nylas SDK sends the API key as client_secret in the request body, not just in the Authorization header.
This is unexpected behavior — most OAuth implementations rely on the Authorization header for credentials. When using a reverse proxy that rewrites the Authorization header (a common pattern for credential injection), the client_secret in the body still contains the original/placeholder value, causing the token exchange to fail with "Invalid credentials".
Steps to Reproduce
- Initialize the Nylas SDK:
const nylas = new Nylas({
apiKey: "SOME_KEY",
apiUri: "https://api.us.nylas.com",
});- Call
exchangeCodeForToken:
const response = await nylas.auth.exchangeCodeForToken({
clientId: "your-client-id",
redirectUri: "your-callback-uri",
code: authCode,
});- Observe the outgoing POST to
/v3/connect/token— the API key appears in both:Authorization: Bearer SOME_KEY(header)client_secret: "SOME_KEY"(request body)
Expected Behavior
The API key should only be sent in the Authorization header, consistent with standard OAuth 2.0 practices. The request body should contain client_id, code, redirect_uri, and grant_type — not the secret.
Impact
This breaks common infrastructure patterns where a proxy handles credential injection by rewriting the Authorization header. The proxy has no reason to inspect/rewrite the request body, so the original placeholder key leaks through and gets rejected.
Environment
- SDK:
nylas(Node.js) - API Version: v3
- Endpoint:
POST /v3/connect/token