OAuth 2

The Base API supports the industry-adopted standard OAuth 2.0 protocol.

We allow you to use OAuth 2.0 via one of four flows:

  • Authorization Code Grant - use it if you want to authorize a web application.

  • Implicit Grant - use it if you want to authorize a user-agent, like a desktop or a mobile application.

  • Resource Owner Password Credentials Grant - use it if you want to authenticate directly via Base API using resource owner’s password credentials.

  • Refresh Token Grant - use it to renew an access token when the current one expires.


Endpoints


Retrieve an authorization grant

Retrieve an authorization grant. OAuth 2.0 supports two authorization flows:

There is no direct return value. When the resource owner grants an access to your client application Base redirects back to the redirection URI - redirect_uri - and includes an authorization grant, of the type specified by the response_type, in either the query or the fragment of the URI.

Authorization Code Flow

If you follow the Authorization Code Flow the redirection URI will include the following query parameters:

Parameter Description
code An authorization code, which can be used to obtain an access token.
state The same value as passed to /oauth2/authorize.

Implicit Flow

If you choose to follow the Implicit Flow the redirection URI will include the following parameters in the URI’s fragment:

Parameter Description
access_token An access token.
token_type A token type. Set to bearer.
expires_in An expiration time. Set to one hour in seconds - 3600.
refresh_token A refresh token.
scope The scope of the access token. It must be present only if the requested scope is different from the default.

Parameters

Attribute Description
response_type string required

Authorization grant type requested. If you want to follow Authorization Code Flow, use code and if you want to use Implicit Flow, use token.

Possible values:

  • code
  • token
client_id string required

The unique identifier of the client you received from registration.

redirect_uri string required

The URL you registered as the Callback URL during the client registration.

scope string optional

A list of space-delimited scopes of the access request.

Possible values:

  • read
  • write
  • profile
state string optional

An opaque string value used to maintain state between the request and callback. The parameter is used to protect against Cross-Site Request Forgery (CSRF).


Retrieve an access token

Retrieves an access token. In order to retrieve a bearer access token and a refresh token, a client application makes a request to the token endpoint using the application/x-www-form-urlencoded format.

The following OAuth 2.0 flows are supported:

Notice that every request to the OAuth token endpoint requires client authentication. To authenticate an application use the standard Authorization header using basic authentication scheme, where username is the client_id and password is the client_secret.

The response body will include the following fields:

Parameter Description
access_token An access token.
token_type A token type. Set to bearer.
expires_in An expiration time. Set to one hour in seconds - 3600.
scope The scope of the access token.
refresh_token A refresh token.

Parameters

Attribute Description
grant_type string required

A grant type. If you want to follow Authorization Code Flow then use authorization_code and if you want to use Resource Owner Password Credentials Flow, use password.

Possible values:

  • authorization_code
  • password
client_id string required

A unique client identifier.

client_secret string required

A unique client secret.

scope string optional

A list of space-delimited scopes of the access request.

code string optional

The value of the authorization code you received from the authorization server in the authorization request. Required if grant_type is equal to authorization_code.

redirect_uri string optional

The redirection URI that was included in the authorization request. Required if grant_type is equal to authorization_code.

username string optional

The resource owner username. Required if grant_type is equal to password.

password string optional

The resource owner password. Required if grant_type is equal to password.


Revoke a token

Revoke a single access token or a single refresh token and all its related access tokens. This is done in order to notify us that tokens are no longer used so we can clean up security credentials. In order to revoke a token, a client application makes a request to the revocation endpoint using the application/x-www-form-urlencoded format.

Notice that every request to the OAuth revocation endpoint requires client authentication. To authenticate an application use the standard Authorization header using basic authentication scheme, where username is the client_id and password is the client_secret.

Parameters

Attribute Description
token string required

The token the client wants to revoke.

token_type_hint string optional

A hint about the type of the token.

Possible values:

  • access_token
  • refresh_token

Retrieve a CSRF token

When you use OAuth 2 either Authorization Code Grant or Implicit flow, it is highly recommended to pass an opaque string value called state to maintain a state between the request and callback. This parameter is used to protect against Cross-Site Request Forgery (CSRF) attacks. We provide you with an endpoint which returns safe, pseudo-random, anti-CSRF tokens. You can use your own as well. Either way it is highly recommended to use the state parameter during requests.

No authentication is required.

The response body will include the following fields:

Parameter Description
csrf_token An anti-CSRF token.
generated_at Date and time of the token generation in UTC (ISO8601 format).