OAuth2 API Access Guide

InfoLobby uses OAuth2 authorization code grant flow to issue access tokens on behalf of users.

This document will walk you through the steps to access our API using OAuth2 authentication. OAuth2 is a widely-used protocol for secure and authorized access to resources, and it involves several steps to obtain an access token and refresh token for API access.

1. Prerequisites

Before you can access our OAuth2 API, you'll need the following:

• Client ID: Obtain this by registering your application with our authorization server.
• Client Secret: Also obtained during the registration process.
• Redirect URI: A URL to which the user will be redirected after granting/denying access.

2. Register Your Application

To register your application, follow these steps:

1. While logged into your InfoLobby account, go to "Account Settings" from the top-left menu, and then select "API Keys" from the top sub-menu.
2. On the API Keys page, click the "Create New API Key" button.
3. Provide the requested information, including the name of your application, and the redirect URI. Note that it is imperative the the redirect URI matches exactly the URI you will be using in your application.
4. Upon successful registration, you'll receive a client ID and client secret. Keep these credentials secure!

3. Obtaining an Access Token

If you're using a 3rd-party library or other software, you should be able to simply plug in these values:

• Authorization Endpoint: https://infolobby.com/api/oauth/authorize
• Token Endpoint: https://infolobby.com/api/oauth/token
• Scope: none - you can leave this blank
• Client ID: From step 2 above
• Client Secret: From step 2 above

In more detail, to obtain an access token, you need to follow these steps:

1. Authorization Request

Send users to the following authorization url:

https://infolobby.com/api/oauth/authorize

In the GET parameters, include the following:

• client_id: Your client ID
• redirect_uri: Your redirect URI
• response_type: code
• state: optional random string to prevent CSRF attacks

2. User Authentication

The user logs in and authorizes your application's access request.

3. Authorization Grant

If the user grants access, the authorization server redirects the user back to your specified redirect URI with the following set in the GET parameters:

• code: The authorization code
• state: The state parameter you provided in step 1

4. Access Token Request

To exchange the authorization code for an access token, make a POST request to the following token endpoint:

https://infolobby.com/api/oauth/token

In the POST parameters, include the following:

• grant_type: authorization_code
• code: The authorization code you received in step 3
• client_id: Your client ID
• client_secret: Your client secret
• redirect_uri: Your redirect URI - must match the redirect URI you used in step 1

You will receive a JSON response containing the access token and refresh token, eg:

{
  "access_token":"MTQ0NjJkZmQ5OTM2NDE1ZTZjNGZmZjI3",
  "token_type":"Bearer",
  "expires_in":3600,
  "refresh_token":"IwOGYzYTlmM2YxOTQ5MGE3YmNmMDFkNTVk",
}

4. Using the Access Token

Once you have obtained an access token, you can use it to make authorized requests to our API. Include the access token in the Authorization header of your API requests using the "Bearer" token type.

For example, to get the authorizing user's profile information, make a GET request to the following endpoint:

https://infolobby.com/api/users/me

$ curl -X GET "https://infolobby.com/api/users/me" -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
{
   userId: 123,
   username: 'John Smith',
   emailAddress: 'john.smith@domain.com',
   timezone: 'America/New_York',
   locale: 'en-US'
}

5. Refreshing the Access Token

Access tokens have a limited lifespan. To obtain a new access token without requiring the user to reauthorize, use the refresh token.

Make a POST request to the following token endpoint with your client credentials:

https://infolobby.com/api/oauth/token

In the POST parameters, include the following:

• grant_type: refresh_token
• refresh_token: The refresh token you received in step 4
• client_id: Your client ID
• client_secret: Your client secret

You will receive a new token reponse similar to what you received in step 4 above.