Authorization

Create a "Log In" link sending the user to:

https://authorization-server.com/auth?response_type=code& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos&state=1234zyx

• response_type=code - Indicates that your server expects to receive an authorization code
• client_id - The client ID you received when you first created the application
• redirect_uri - Indicates the URI to return the user to after authorization is complete
• scope - One or more scope values indicating which parts of the user's account you wish to access
• state - A random string generated by your application, which you'll verify later

Token Exchange

Your server exchanges the auth code for an access token:

POST https://api.authorization-server.com/token grant_type=authorization_code& code=AUTH_CODE_HERE& redirect_uri=REDIRECT_URI& client_id=CLIENT_ID& client_secret=CLIENT_SECRET

• grant_type=authorization_code - The grant type for this flow is authorization_code
• code=AUTH_CODE_HERE - This is the code you received in the query string
• redirect_uri=REDIRECT_URI - Must be identical to the redirect URI provided in the original link
• client_id=CLIENT_ID - The client ID you received when you first created the application
• client_secret=CLIENT_SECRET - Since this request is made from server-side code, the secret is included