OAuth2 Authorization Code Grant

NOTE: Authroization Code Grant Type flow requires trusted server.

Send the user you want to authenticate to your registered redirect URI. An authorization page will ask the user to sign up or log into Pulsoid and allow the user to choose whether to authorize your application/identity system.

Create a <a href="">login</a>:

GET https://pulsoid.net/oauth2/authorize
    ?client_id=<your client ID>
    &redirect_uri=<your registered redirect URI>
    &response_type=code
    &scope=<space-separated list of scopes>
    &state=<unique token, generated by your application>

Parameters explained:

Name

Type

Description

client_id

string

Your client ID.

redirect_uri

string

Your registered redirect URI. This must exactly match the redirect URI registered in the prior.

response_type

string

Should be always code

scope

string

Comma-separated list of scopes.

state

string

Your unique token, generated by your application. This is an OAuth 2.0 opaque value, used to avoid CSRF attacks. This value is echoed back in the response.

In our example, you request access to read heart rate data and send the user to http://localhost:

GET 'https://pulsoid.net/oauth2/authorize?response_type=code&client_id=3d3fa070-8358-4984-ae32-94392185df63&redirect_uri=http://localhost&scope=data:heart_rate:read&state=a52beaeb-c491-4cd3-b915-16fed71e17a8'

If the user authorizes your application, the user is redirected to your redirect URL:

https://<your registered redirect URI>/?code=<authorization code>&state=<echoed back state your application path on authorization step>

The OAuth 2.0 authorization code is a randomly generated string. It is used in the next step, a request made to the token endpoint in exchange for an access token. In our example, your user gets redirected to:

http://localhost/?code=fedc8790-df28-4928-9dcf-55a4d7aa1f5e
    &state=a52beaeb-c491-4cd3-b915-16fed71e17a8

On your server, get an access token by making this request:

POST https://pulsoid.net/oauth2/token
Content-Type: application/x-www-form-urlencoded

client_id=<your client ID>
&client_secret=<your client secret>
&code=<authorization code received above>
&grant_type=authorization_code
&redirect_uri=<your registered redirect URI>

Here is a sample request:

POST https://pulsoid.net/oauth2/token
Content-Type: application/x-www-form-urlencoded   

grant_type=authorization_code 
&code=fedc8790-df28-4928-9dcf-55a4d7aa1f5e
&client_id=3d3fa070-8358-4984-ae32-94392185df63
&client_secret=a8262283-f568-4ec3-be84-1c4758dc1a82
&redirect_uri=http://localhost

We respond with a JSON-encoded access token. The response looks like this:

{
  "access_token": "<user access token>",
  "refresh_token": "<refresh token>",
  "expires_in": <number of seconds until the token expires>,
  "token_type": "bearer"
}

In our example:

{
  "access_token": "17ebb971-f558-48f2-81b1-788ea927c509",
  "refresh_token": "c6f30bc4-9a04-4e66-a1a1-080fad703a9e",
  "expires_in": 3600,
  "token_type": "bearer"
}

Note that code can be exchanged for an access token only once.

PreviousOAuth2 Implicit Grant NextOAuth2 Client Credentials Grant Type(server token)

Last updated 2 years ago

NOTE: Authroization Code Grant Type flow requires trusted server.

Send the user you want to authenticate to your registered redirect URI. An authorization page will ask the user to sign up or log into Pulsoid and allow the user to choose whether to authorize your application/identity system.

Create a <a href="">login</a>:

GET https://pulsoid.net/oauth2/authorize
    ?client_id=<your client ID>
    &redirect_uri=<your registered redirect URI>
    &response_type=code
    &scope=<space-separated list of scopes>
    &state=<unique token, generated by your application>

Parameters explained:

Name

Type

Description

client_id

string

Your client ID.

redirect_uri

string

Your registered redirect URI. This must exactly match the redirect URI registered in the prior.

response_type

string

Should be always code

scope

string

Comma-separated list of scopes.

state

string

Your unique token, generated by your application. This is an OAuth 2.0 opaque value, used to avoid CSRF attacks. This value is echoed back in the response.

In our example, you request access to read heart rate data and send the user to http://localhost:

GET 'https://pulsoid.net/oauth2/authorize?response_type=code&client_id=3d3fa070-8358-4984-ae32-94392185df63&redirect_uri=http://localhost&scope=data:heart_rate:read&state=a52beaeb-c491-4cd3-b915-16fed71e17a8'

If the user authorizes your application, the user is redirected to your redirect URL:

https://<your registered redirect URI>/?code=<authorization code>&state=<echoed back state your application path on authorization step>

http://localhost/?code=fedc8790-df28-4928-9dcf-55a4d7aa1f5e
    &state=a52beaeb-c491-4cd3-b915-16fed71e17a8

On your server, get an access token by making this request:

POST https://pulsoid.net/oauth2/token
Content-Type: application/x-www-form-urlencoded

client_id=<your client ID>
&client_secret=<your client secret>
&code=<authorization code received above>
&grant_type=authorization_code
&redirect_uri=<your registered redirect URI>

Here is a sample request:

POST https://pulsoid.net/oauth2/token
Content-Type: application/x-www-form-urlencoded   

grant_type=authorization_code 
&code=fedc8790-df28-4928-9dcf-55a4d7aa1f5e
&client_id=3d3fa070-8358-4984-ae32-94392185df63
&client_secret=a8262283-f568-4ec3-be84-1c4758dc1a82
&redirect_uri=http://localhost

We respond with a JSON-encoded access token. The response looks like this:

{
  "access_token": "<user access token>",
  "refresh_token": "<refresh token>",
  "expires_in": <number of seconds until the token expires>,
  "token_type": "bearer"
}

In our example:

{
  "access_token": "17ebb971-f558-48f2-81b1-788ea927c509",
  "refresh_token": "c6f30bc4-9a04-4e66-a1a1-080fad703a9e",
  "expires_in": 3600,
  "token_type": "bearer"
}

Note that code can be exchanged for an access token only once.