AddIn Only

AddIn Only authentication
This type of authentication uses AddIn Only policy and OAuth bearer tokens for authenticating HTTP requests.


type AuthCnfg struct {
// SPSite or SPWeb URL, which is the context target for the API calls
SiteURL string `json:"siteUrl"`
// Client ID obtained when registering the AddIn
ClientID string `json:"clientId"`
// Client Secret obtained when registering the AddIn
ClientSecret string `json:"clientSecret"`
// Your SharePoint Online tenant ID (optional)
Realm string `json:"realm"`
Realm can be left empty or filled in, that will add small performance improvement. The easiest way to find tenant is to open SharePoint Online site collection, click Site Settings -> Site App Permissions. Taking any random app, the tenant ID (realm) is the GUID part after the @.


private.json sample:
"siteUrl": "",
"clientId": "e2763c6d-7ee6-41d6-b15c-dd1f75f90b8f",
"clientSecret": "OqDSAAuBChzI+uOX0OUhXxiOYo1g6X7mjXCVA9mSF/0="

Code sample

package main
import (
// "os"
strategy ""
func main() {
// authCnfg := &strategy.AuthCnfg{
// SiteURL: os.Getenv("SPAUTH_SITEURL"),
// ClientID: os.Getenv("SPAUTH_CLIENTID"),
// ClientSecret: os.Getenv("SPAUTH_CLIENTSECRET"),
// }
// or using `private.json` creds source
authCnfg := &strategy.AuthCnfg{}
configPath := "./config/private.json"
if err := authCnfg.ReadConfig(configPath); err != nil {
log.Fatalf("unable to get config: %v", err)
client := &gosip.SPClient{AuthCnfg: authCnfg}
// use client in raw requests or bind it with Fluent API ...

Extending client secrets

It's important to know that the legacy AddIn authentication's Client Secrets are issued for a limited time. After expiration, if not managed right way there is a risk to get a service connection aunothorized with the following message:
AADSTS7000222: The provided client secret keys for app '***' are expired. Visit the Azure portal to create new keys for your app:, or consider using certificate credentials for added security:
Install-Module -Name AzureAD
Install-Module MSOnline
Connect-MsolService # provide tenant admin account creds
$clientId = 'e2763c6d-7ee6-41d6-b15c-dd1f75f90b8f' # replace with your clientId
$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$newClientSecret = [System.Convert]::ToBase64String($bytes)
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate (Get-Date) -EndDate (Get-Date).AddYears(1)
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret -StartDate (Get-Date) -EndDate (Get-Date).AddYears(1)
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret -StartDate (Get-Date) -EndDate (Get-Date).AddYears(1)
$newClientSecret # outputs new clientSecret

Known issues

AddIn Only auth is considered a legacy, in a production Azure Cert is vendor recommended.
In new subscriptions you can face Grant App Permission disabled. You'll be getting the following error:
"error": "invalid_request",
"error_description": "Token type is not allowed."
To enable this feature, connect to SharePoint using Windows PowerShell and then run:
set-spotenant -DisableCustomAppAuthentication $false.
Install-Module -Name Microsoft.Online.SharePoint.PowerShell
$adminUPN="<the full email address of a SharePoint administrator account, example: [email protected]>"
$orgName="<name of your Office 365 organization, example: contosotoycompany>"
$userCredential = Get-Credential -UserName $adminUPN -Message "Type the password."
Connect-SPOService -Url https://$ -Credential $userCredential
set-spotenant -DisableCustomAppAuthentication $false