Do you want to search in all categories or in this category ?
Home
All Categories
Developers documentation
REST API
REST API - Authentication
OAuth 2

OAuth 2

Last update: %A,%b%d,%Y

OAuth 2.0 is a protocol that lets your app request authorization to private details in a user's account without getting their password. It's also the vehicle by which apps are installed on a account.

Your app asks for specific permission scopes and is rewarded with access tokens upon a user's approval.

You'll need to register your app before getting started. A registered app is assigned a unique Client ID and Client Secret which will be used in the OAuth flow. The Client Secret should not be shared.

Step 1

Your web or mobile app should redirect users to the following URL:

https://xeno.app/oauth/authorize

The following values should be passed as GET parameters:

  • client_id - issued when you created your app (required)

  • scope - permissions to request (see below) (required)

  • redirect_uri - URL to redirect back to (see below) (optional)

  • state - unique string to be passed back upon completion (optional)

The scope parameter is a space-separated list of OAuth scopes, indicating which parts of the user's account you'd like your app to be able to access. Available scopes are: widgets (brands) faqs, contacts and conversations.

The state parameter should be used to avoid forgery attacks by passing in a value that's unique to the user you're authenticating and checking it when auth completes.

Step 2

If all is well, exchange the authorization code for an access token using the oauth/token API method.

https://xeno.app/oauth/token

  • client_id - issued when you created your app (required)

  • client_secret - issued when you created your app (required)

  • code - a temporary authorization code (required)

  • redirect_uri - must match the originally submitted URI (if one was sent)

You'll receive a JSON response containing an access_token (These access tokens are also known as bearer tokens):

{
  "access_token": "ffb4acaf27c4[...]9025d650aa6dff",
  "scope": "widget"
}

You can then use this token to call API methods on behalf of the user. The token will continue functioning until the installing user either revokes the token and/or uninstalls your application.

Your app is considered "installed" as long as one of these tokens is still valid.

Please note that these access tokens do not expire.


REST API - Authentication

2 article in this category.