I've set up an instant flow and want to utilize all the capabilities of the "When an HTTP request is received" action. However, I'm struggling to find a way to include a token in the flow's URL.
Hey there So, you’re trying to add a token to the flow URL of your instant flow that uses the “When an HTTP request is received” action. Here’s the deal:
To include a token, you need to set up the flow to use OAuth authentication. There are a few ways to do this, but I’ll walk you through the simplest method.
Step 1: Configure Your Flow
- Edit your flow and navigate to the “When an HTTP request is received” trigger.
- Select one of the following options under “Who can trigger the flow”:
- Any user in the tenant: Allows any user in your tenant to trigger the flow.
- Specific users in the tenant: Allows only specified users in your tenant to trigger the flow.
Step 2: Get the Correct Claims
For the HTTP request to your flow makeover, it needs to include specific claims in the Bearer token. Here are the claims you need:
- aud: Audience value based on your cloud type (like
https://service.flow.microsoft.com/for the public cloud) - iss: Issuer of the requestor (the token issuance authority of your tenant)
- tid: Tenant ID (GUID) of the requester
- oid: Object ID of the requester (optional, only needed if you’re restricting to specific users in your tenant)
For more details on the claims and how to extract them with the Microsoft Authentication Library (MSAL), check out the Power Automate documentation:.
Step 3: Add the Bearer Token to Your URL
When sending the HTTP request to your flow, include the Bearer token in the HTTP headers. Here’s what it should look like:
POST https://<flow_trigger_URL> HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Bearer <your_bearer_token>
{}
Remember
- If you are using Specific users in the tenant, provide their email addresses in the Allowed users field within the flow settings.
- If you choose Anyone, the trigger URL will include a SAS signature, which isn’t recommended for security reasons.
By following these steps, you’ll ensure that your flow is triggered securely with the right tokens and user restrictions.