...
Name | Required | Description |
response_type | Yes | Always set to code . |
redirect_uri | Yes | URI where the system sends the response. |
client_id | Yes | App Key as generated by the system at registration time . |
state | No, but recommended | Parameter to be used by the App to verify if the response received from the system is valid. From the point of view of the server, it does not matter how the state parameter is generated. |
The example below demonstrates how to make a POST request to the authorization endpoint:
...
App receives an authorization code. If the user has been granted access to the App, the system will redirect him/her to the URI specified in the redirect_uri parameter. The system uses the HTTP GET method to make the request to the App's endpoint:
...
Name | Required | Description |
---|---|---|
grant_type | Yes | Always set to authorization_code |
code | Yes | The code received in STEP 4. |
redirect_uri | Yes | URI where the system returns the response. |
client_id | Yes | App Key as generated by the system at registration time . |
client_secret | Yes | App Secret as generated by the system at registration time . |
state | No, recommended | Parameter to be used by the App to verify if the response received from the system is valid. From the point of view of the server, it does not matter how the state parameter is generated |
The example below demonstrates how to make a POST request to the token endpoint:
...
Code Block | ||
---|---|---|
| ||
HTTP 1.1 200 OK ... { "access_token":"1|5~2wKMPg9h~GExN3s01-7wX2XmLI_Xbz|1|1345716093|O_XQYdHR0P-xMvqbVsh_OwRH7GT4.FtR", "expires_in":7200, "token_type":"Bearer", "refresh_token":"9_s2TBCQ1y.PPzVNXkT-Gff6tB9z_bqr", "state":"appstate" } |
The The response parameters are:
Name | Description |
access_token | Value of the access token. This value is used when making requests to APIs. |
expires_in | Period of time, in seconds, during which the token is valid. |
token_type | The type of the token. Only Bearer is possible. |
refresh_token | Refresh token that can be used to regenerate the token once expired. |
state | State parameters as received in the request |
...
Note |
---|
We advise you to use this flow only if you trust the App requesting authorization. Trusted Apps can be added as described in Register App documentation. |
Step 1
The App requests an access_token
. It makes a HTTP POST request to the token endpoint located at https://<hostname>/oauth/token.php. The request URI is made by adding the following parameters to the body of the request and it uses the application/x-www-form-urlencoded format. In In the table below you can find the Request Parameters:
Name | Required | Description |
---|---|---|
grant_type | Yes | Always set to client_credentials |
redirect_uri | Yes | URI where the system returns the response. |
client_id | Yes | App Key as generated by the system at registration time . |
client_secret | Yes | App Secret as generated by the system at registration time . |
state | No, recommended | Parameter to be used by the App to verify if the response received from the system is valid. From the point of view of the server, it does not matter how the state parameter is generated |
Step 2
App receives the access token. The response is similar to the response received in the previous flow. The only difference is that no refresh_token
is generated. When the token expires, the App must request to authorize with the system again, by repeating the step above.
Anchor | ||||
---|---|---|---|---|
|
...
Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 4.0 International.