Callback URLs

You can specify URLs that users will be redirected to after they install an ICR App.

When you register an ICR App, you can specify an allowlist of callback URLs. When users install your ICR App, they are redirected to the first callback URL in the allowlist, unless the redirectUri query parameter is non-empty. If it is non-empty the redirectUri is used but only if it matches an allowed callbackURL from the callback URL list. If it does not match any, the first callback URL is used. If additional setup is required after installation, you can use this URL to tell users what steps to take next.

---

Warning: When ICR redirects users to the callback URL, it includes an installationId query parameter. Bad actors can hit this URL with a spoofed installationId. Therefore, you should not rely on the validity of the installationId parameter. Instead, you should generate an organization access token for the organization where the app was installed and then check that the installation is associated with that organization. For more information, see "Generating an installation access token for an ICR App."

---

For more information about registering an ICR App, see "Registering an ICR App."