> ## Documentation Index
> Fetch the complete documentation index at: https://docs.qonto.com/llms.txt
> Use this file to discover all available pages before exploring further.

# The User OAuth flow

> The User OAuth flow lets you build an integration that can access multiple Qonto organizations belonging to the same user.

If you want to build an integration that can access multiple Qonto organizations belonging to the same user, without asking for their consent separately for each one, you can use the User OAuth flow. This flow is a variant of the `membership` [OAuth flow](/get-started/business-api/authentication/oauth/oauth-flow), but allows the user to grant consent to multiple organizations at once. The `access_token` obtained from this flow is then valid for all the organizations the user has consented to.

<Warning>
  This flow is only available for applications that have been approved by Qonto.
  To be approved, you must be AIS/PIS compliant and have a clear use case for this flow.
  If you think your application could benefit from this flow, please open a support ticket from the Developer Portal.
  This flow is exclusive: if you use it, you cannot use the `membership` flow for the same application.
</Warning>

## How does it work?

### Step 1: User authentication

To obtain an `access_token` and a `refresh_token` for a user, follow the same OAuth flow as the `membership` flow with the following differences:

1. Add the `identity_type=user` query parameter to the authorization URL.
2. Request the `user_organization.read` scope in addition to the scopes you would normally request for the `membership` flow.

Then, redirect the user to the authorization URL. After the user grants their consent, you will receive an `authorization_code` that you can exchange for an `access_token` and a `refresh_token` as usual.

### Step 2: Retrieve the list of organizations

Once you have an `access_token` for the user, retrieve the list of organizations the user has consented to by making a `GET` request to the `/v2/user_organizations` endpoint with the `access_token` in the `Authorization` header.
This endpoint returns the list of organizations the user granted access to, along with their `id`, `name`, and `membership_role`.

### Step 3: Access the organizations' data

You can now call any other endpoint of the API with the same `access_token`. However, you must include the following header in your requests: `X-Qonto-Organization-Id: {organization_id}`.
This header is required to specify which organization's data you want to access, since the `access_token` is valid for multiple organizations.

<Note>
  If you provide an `organization_id` that the user has not consented to, you will receive a `403 Forbidden` error.
  Same if you don't provide the header.
</Note>

### Step 4: Modify the list of organizations

If you want to offer the user the possibility to modify the list of organizations they have consented to, you can redirect the user to the login flow as described in step 1. The user will then be able to modify their consent and grant access to new organizations or revoke access to existing ones. After the user modifies their consent, you can retrieve the updated list of organizations by calling the `/v2/user_organizations` endpoint again.