Skip to main content

Implicit Grant

As you can't store your client's credentials in a safe area, you'll need to use the implicit grant. This way is mainly used by frontend-only environments, like websites or mobile applications.

How it works#

  1. The user asks for Login inside your application
  2. Instead of building a login-form, you just redirect the user to our OAuth endpoint
  3. The user authenticates with their credentials
  4. If nothing goes wrong, the AniAPI server redirects the user to your app with their access_token

Requirements#

  • An AniAPI OAuth Client
  • A website or a mobile application
  • A temporary webserver to grab the token

Redirect the user#

Open a browser window (or just redirect if your application is a website) and make a request to https://api.aniapi.com/v1/oauth. The oauth endpoint expects some parameters to identify the client calling it:

NameRequiredDescription
client_idYesYour client ID
redirect_uriYesYour client redirect URI
response_typeYesFor implicit grant pass token
stateNoA random string generated by your application
info

The client_id and redirect_uri values must match your client's one.

The state parameter (optional) is used to protect your application from cross-site request forgery (CSRF). If provided, the AniAPI server will return it alongside the user's access_token. Verify it against the value you provided before to validate the response.

Example request URL
https://api.aniapi.com/v1/oauth?    response_type=token    &client_id=<CLIENT_ID>    &redirect_uri=<REDIRECT_URI>    &state=<RANDOM_STRING>

Retrieve the token#

Once the user approved the Authentication request and completed the login step, the AniAPI server will redirect them back to your application. Let's assume you provided http://localhost:3000/auth as redirect_uri value. This will be the redirection URL:

Example redirect URL
http://localhost:3000/auth/#access_token=<TOKEN>&state=<RANDOM_STRING>

As you can see, inside the URL fragment there will be the user's access_token and the optional state value you provided initially.

caution

The URL fragment differs from a querystring because it is accesible from frontend only.

You need to extract it by using JavaScript inside the webpage.