Skip to main content

Authorization Code Grant

When you have an area to store your client credentials safely, you can use the authorization code grant.


The only one confidential value of your client is the client_secret, keep it private!

How it works#

  1. The user asks for Login inside your application
  2. Instead of building a login-form, you just redirect the user to our OAuth endpoint
  3. The user authenticates with his credentials
  4. If nothing goes wrong, the AniAPI server redirects the user to your app with an authorization_code
  5. Your application uses the code to get the user's access_token


  • An AniAPI OAuth Client
  • A frontend application
  • A backend server

Redirect the user#

Open a browser window (or just redirect if your application is a website) and make a request to The oauth endpoint expects some parameters to identify the client calling it:

client_idYesYour client ID
redirect_uriYesYour client redirect URI
response_typeYesFor authorization code grant pass code
stateNoA random string generated by your application

The client_id and redirect_uri values must match your client's one.

The state parameter (optional) is used to protect your application from cross-site request forgery (CSRF). If provided, the AniAPI server will return it alongside the user's access_token. Verify it against the value you provided before to validate the response.

Example request URL    response_type=code    &client_id=<CLIENT_ID>    &redirect_uri=<REDIRECT_URI>    &state=<RANDOM_STRING>

Retrieve the authorization code#

Once the user approved the Authentication request and completed the login step, the AniAPI server will redirect them back to your application. Let's assume you provided http://localhost:3000/auth as redirect_uri value. This will be the redirection URL:

Example redirect URL

As you can see, the querystring contains the generated authorization_code and the optional state value you provided initially.


The authorization_code validity time is of 3 minutes since creation.

Exchange the authorization code with the token#

In order to obtain the user's access_token, you need to make a POST request to with the following parameters:

client_idYesYour client ID
client_secretYesYour client secret
codeYesThe authorization_code you got earlier
redirect_uriYesYour client redirect URI
Example request
curl -i -X POST                    client_id=<CLIENT_ID>                    &client_secret=<CLIENT_SECRET>                    &code=<AUTHORIZATION_CODE>                    &redirect_uri=<REDIRECT_URI>

If all goes right, you should receive a JSON-Encoded response with the user's access_token:

Example response
{  "status": 200,  "message": "Code verified",  "data": "<ACCES_TOKEN>",  "version": "1"}