# App Installation and Authentication

Partner apps are installed by merchants through an **install endpoint** you host and configure in the Partner dashboard. When a merchant clicks install, Finqu redirects them to that URL; your app then runs the **OAuth 2.0** flow to obtain API credentials for that merchant.

## Installation flow in short

1. **Merchant clicks “Install” in Finqu** → Finqu redirects to your install endpoint.
2. **Your install endpoint** redirects the merchant to Finqu’s OAuth **authorization** URL (with your `client_id`, `redirect_uri`, `scope`, `state`).
3. **Merchant authorizes** in Finqu (sign in if needed, approve scopes).
4. **Finqu redirects back** to your `redirect_uri` with an authorization `code` and `state`.
5. **Your backend** exchanges the code at the OAuth **token** endpoint and receives access and refresh tokens.
6. **Optional:** Call the OAuth **resource** endpoint to get merchant info and the merchant-specific API base URL.
7. **Store** the tokens (and optionally merchant id and API URL) for that installation and show a success or “back to Finqu” page.

All OAuth details (endpoints, parameters, token exchange, scopes, refresh) are in the [Authentication (OAuth basics)](/get-started/authentication) guide. For REST usage, see [REST API Authentication](/apis-and-tools/rest-api/authentication).

## Partner app settings

In the Finqu Partner dashboard, for your app:

- **Install URL** — The public URL of your install endpoint (HTTPS). Finqu sends merchants here when they start installing. Use a dedicated path (e.g. `/install` or `/finqu/install`).
- **Redirect URI(s)** — Every callback URL you use in the OAuth flow must be registered here. Finqu redirects to one of these with the authorization code.

## After installation

- Use the **access token** in the `Authorization: Bearer <access_token>` header when calling the Finqu API.
- Use the **merchant-specific API base URL** (from the OAuth resource endpoint) for all API requests.
- When the access token expires, use the **refresh token** to get a new one; see [Authentication (OAuth basics)](/get-started/authentication#using-refresh-tokens).

For embedded admin UIs, Finqu identifies the merchant with a **context token** (JWT), not the OAuth access token. See [App Context](./app-context).