Skip to main content

Authorization Code Grant

When you have an area to store your client credentials safely, you can use the authorization code grant.

caution

The only one confidential value of your client is the client_secret, keep it private!

How it works#

  1. The user asks for Login inside your application
  2. Instead of building a login-form, you just redirect the user to our OAuth endpoint
  3. The user authenticates with his credentials
  4. If nothing goes wrong, the AniAPI server redirects the user to your app with an authorization_code
  5. Your application uses the code to get the user's access_token

Requirements#

  • An AniAPI OAuth Client
  • A frontend application
  • A backend server

Redirect the user#

Open a browser window (or just redirect if your application is a website) and make a request to https://api.aniapi.com/v1/oauth. The oauth endpoint expects some parameters to identify the client calling it:

NameRequiredDescription
client_idYesYour client ID
redirect_uriYesYour client redirect URI
response_typeYesFor authorization code grant pass code
stateNoA random string generated by your application
info

The client_id and redirect_uri values must match your client's one.

The state parameter (optional) is used to protect your application from cross-site request forgery (CSRF). If provided, the AniAPI server will return it alongside the user's access_token. Verify it against the value you provided before to validate the response.

Example request URL
https://api.aniapi.com/v1/oauth?    response_type=code    &client_id=<CLIENT_ID>    &redirect_uri=<REDIRECT_URI>    &state=<RANDOM_STRING>

Retrieve the authorization code#

Once the user approved the Authentication request and completed the login step, the AniAPI server will redirect them back to your application. Let's assume you provided http://localhost:3000/auth as redirect_uri value. This will be the redirection URL:

Example redirect URL
http://localhost:3000/auth/?code=<CODE>&state=<RANDOM_STRING>

As you can see, the querystring contains the generated authorization_code and the optional state value you provided initially.

warning

The authorization_code validity time is of 3 minutes since creation.

Exchange the authorization code with the token#

In order to obtain the user's access_token, you need to make a POST request to https://api.aniapi.com/v1/oauth/token with the following parameters:

NameRequiredDescription
client_idYesYour client ID
client_secretYesYour client secret
codeYesThe authorization_code you got earlier
redirect_uriYesYour client redirect URI
Example request
curl -i -X POST https://api.aniapi.com/v1/oauth/token?                    client_id=<CLIENT_ID>                    &client_secret=<CLIENT_SECRET>                    &code=<AUTHORIZATION_CODE>                    &redirect_uri=<REDIRECT_URI>

If all goes right, you should receive a JSON-Encoded response with the user's access_token:

Example response
{  "status": 200,  "message": "Code verified",  "data": "<ACCES_TOKEN>",  "version": "1"}