The developer needs to submit a simple form to register the App. Once approved, the developer will receive an App ID(client_id) and App secret(client_secret). One developer can register multiple Apps, different Apps will have different IDs and secrets.
All API requests must have access token in
authorizationheader. It could be user access token or app access token.
Authorization Code grant returns user access token with appropriate scope where client could query user information.
Client Credentials grant returns app access token where it could be used for normal queries.
User access token: 30 days
App access token: 30 days
Refresh token: 1 year
The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint. The client includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will send the user-agent back once access is granted. At least 1 scope is required.
Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier. The redirection URI includes an authorization code and any local state provided by the client earlier.
The client requests an access token from the authorization server's token endpoint by including the authorization code received in the previous step. When making the request, the client authenticates with the authorization server. The client includes the redirection URI used to obtain the authorization code for verification (only POST method). Sample curl request:
If success, the authorization server responds back with an access token
We allow applications to remain authenticated for long time and refresh the access tokens. The refresh token (1 year expiry time) is single use. If used, a new refresh token will be issued with the new access token.
Sample curl request:
The scope is an optional field (space-separated list of scopes). This must be the entire or subset of the previously granted scopes. The default is the originally granted scopes.
If refresh access token with a subset of the previously granted scopes, all previously issued and new generated access tokens will have the same subset scopes.
Client could request app access token by making following HTTP request:
And expects to receive a response in the form: