Authentication

1. Register an oauth client and store your secret safely.

2. Setup a link to the endpoint /oauth2/authorize with the GET parameters client_id, response_type and redirect_uri. The link may look like this: The API will now handle the authentication and return to the given REDIRECT_URI. Note that for security reasons the REDIRECT_URI has to be added to the list of REDIRECT_URIS on the oauth client settings.

    <a href={
      API_URL + "/oauth2/authorize?client_id=" + CLIENT_ID +
      "&response_type=code&redirect_uri=" + REDIRECT_URI}>
      Login
    </a>
   

3. The API will now redirect the user to the given REDIRECT_URI with the GET parameter code. This parameter contains the authentication code that your application needs in order to obtain an access token. With this code and your client secret, you can now send a POST request the the endpoint /oauth2/token with the parameters clientId, clientSecret, code and grant_type. If you want to get an access token (which you most probably want), set the parameter grant_type to authorization_code. On success, this will return a json object containing the key access_token. This key refers to an object containing the keys token (The access token itself), clientId, userId and expires. Note: This shouldn't be an ajax request in the users browser, as your clients secret will be exposed that way.

4. Store this token and now you're ready to go. In order to make an api call on the users behalf, add the HTTP header Authorization with the content Bearer {token} (without the curly braces). When using an XMLHttpRequest, this can be done by executing http.setRequestHeader("Authorization", "Bearer " + accessToken);.