The OAuth 2.0 Protocol

Redirection Notice
This page should redirect to [api:The OAuth 2.0 Protocol].

Skip to end of metadata
Go to start of metadata
You are viewing an old version of this page. View the current version. Compare with Current  |   View Page History

Abstract API uses the OAuth 2.0 protocol for authentication and authorization. We support single OAuth flow that you can use within your Website, mobile and desktop apps. supports server-side OAuth 2.0 flow for user login, know as the authentication code flow in the specification. The server-side flow is used whenever you need to call the API from your web server.

Application must be set as EXTERNAL. Please be patient - we are still on open beta status :)


User authentication and app authorization are handled at the same time by redirecting the user to our OAuth Dialog. When invoking this dialog, you must pass application ID in the client_id parameter and the URL that the user's browser will be redirected back to once app authorization is completed (the redirect_uri parameter). The redirect_uri must be within the same domain as the Site URL you specify in Web site tab of the Developer App. Parameter scope is optional. By default application can access users.getLoggedInUser method. For extended access provide scope parameter with access rights.

Init parameters
  1. client_id - Application ID
  2. response_type - only "code" response type supported at this moment
  3. redirect_uri - URI to redirect user after authentication with additional parameter
  4. scope - permissions scope, separated by ";":
    1. VALUABLE ACCESS - access to API methods except listed below (method users.getLoggedInUser and users.getCurrentUser called without any scope)
Redirect by your server
OR Using JavaScript

You can use our JavaScript functionality to open authentication pop-up. In this case authentication and authorization works within pop-up window.

Login screen

User decline authentication or unauthenticated

User will be redirected to the

User accepted authorization

If the user presses Allow, your Application is authorized. The OAuth Dialog will redirect (via HTTP 302) the user's browser to the URL you passed in the redirect_uri parameter with an authorization code:

With this code in hand, you can proceed to the next step, app authentication, to gain the access token you need to make API calls.

Using authorization CODE
For OAuth requests to API use POST method only. All responses returned in JSON format.

In order to authenticate your Application and get access token, you must pass the authorization code to the API token endpoint at


  1. code - authorization code, received with user return the url
  2. redirect_uri - same redirect uri you provided in the first call
  3. grant_type - authorization_code supported only at this moment
  4. client_id - application ID
  5. client_secret - application secret key

Success response JSON

Using Access Token

With a valid access token you can invoke the API by appending the access_token parameter to requests:

Using Refresh Token

Access token has limited lifetime, about 30 minutes. To access API service after access token expired You can get another access token with refresh token.
Refresh token has limited lifetime also, but it much longer. Create a POST request to API endpoint.


  1. refresh_token - refresh token received before
  2. grant_type = refresh_token
  3. client_id - Application ID
  4. client_secret - application secret key
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Redirection Notice
This page should redirect to [api:The OAuth 2.0 Protocol].