Ask or search…

AddIn Only

AddIn Only authentication
SharePoint Add-Ins will stop working for new tenants as of November 1st, 2024 and they will stop working for existing tenants and will be fully retired as of April 2nd, 2026. See more.


type AuthCnfg struct {
// SPSite or SPWeb URL, which is the context target for the API calls
SiteURL string `json:"siteUrl"`
// Client ID obtained when registering the AddIn
ClientID string `json:"clientId"`
// Client Secret obtained when registering the AddIn
ClientSecret string `json:"clientSecret"`
// Your SharePoint Online tenant ID (optional)
Realm string `json:"realm"`
Realm can be left empty or filled in, that will add small performance improvement. The easiest way to find tenant is to open SharePoint Online site collection, click Site Settings -> Site App Permissions. Taking any random app, the tenant ID (realm) is the GUID part after the @.


private.json sample:
"siteUrl": "",
"clientId": "e2763c6d-7ee6-41d6-b15c-dd1f75f90b8f",
"clientSecret": "OqDSAAuBChzI+uOX0OUhXxiOYo1g6X7mjXCVA9mSF/0="

Code sample

package main
import (
// "os"
strategy ""
func main() {
// authCnfg := &strategy.AuthCnfg{
// SiteURL: os.Getenv("SPAUTH_SITEURL"),
// ClientID: os.Getenv("SPAUTH_CLIENTID"),
// ClientSecret: os.Getenv("SPAUTH_CLIENTSECRET"),
// }
// or using `private.json` creds source
authCnfg := &strategy.AuthCnfg{}
configPath := "./config/private.json"
if err := authCnfg.ReadConfig(configPath); err != nil {
log.Fatalf("unable to get config: %v", err)
client := &gosip.SPClient{AuthCnfg: authCnfg}
// use client in raw requests or bind it with Fluent API ...

Extending client secrets

It's important to know that the legacy AddIn authentication's Client Secrets are issued for a limited time. After expiration, if not managed right way there is a risk to get a service connection aunothorized with the following message:
AADSTS7000222: The provided client secret keys for app '***' are expired. Visit the Azure portal to create new keys for your app:, or consider using certificate credentials for added security:
Install-Module -Name AzureAD
Install-Module MSOnline
Connect-MsolService # provide tenant admin account creds
$clientId = 'e2763c6d-7ee6-41d6-b15c-dd1f75f90b8f' # replace with your clientId
$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$newClientSecret = [System.Convert]::ToBase64String($bytes)
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate (Get-Date) -EndDate (Get-Date).AddYears(1)
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret -StartDate (Get-Date) -EndDate (Get-Date).AddYears(1)
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret -StartDate (Get-Date) -EndDate (Get-Date).AddYears(1)
$newClientSecret # outputs new clientSecret

Known issues

AddIn Only auth is considered a legacy, in a production Azure Cert is vendor recommended.
In new subscriptions you can face Grant App Permission disabled. You'll be getting the following error:
"error": "invalid_request",
"error_description": "Token type is not allowed."
To enable this feature, connect to SharePoint using Windows PowerShell and then run:
set-spotenant -DisableCustomAppAuthentication $false.
Install-Module -Name Microsoft.Online.SharePoint.PowerShell
$adminUPN="<the full email address of a SharePoint administrator account, example: [email protected]>"
$orgName="<name of your Office 365 organization, example: contosotoycompany>"
$userCredential = Get-Credential -UserName $adminUPN -Message "Type the password."
Connect-SPOService -Url https://$ -Credential $userCredential
set-spotenant -DisableCustomAppAuthentication $false