OAuth2 API Access Guide
InfoLobby uses OAuth2 authorization code grant flow to issue access tokens on behalf of users.
This document will walk you through the steps to access our API using OAuth2 authentication. OAuth2 is a widely-used protocol for secure and authorized access to resources, and it involves several steps to obtain an access token and refresh token for API access.
1. Prerequisites
Before you can access our OAuth2 API, you'll need the following:
- Client ID: Obtain this by registering your application with our authorization server.
- Client Secret: Also obtained during the registration process.
- Redirect URI: A URL to which the user will be redirected after granting/denying access.
2. Register Your Application
To register your application, follow these steps:
- While logged into your InfoLobby account, go to "Account Settings" from the top-left menu, and then select "API Keys" from the top sub-menu.
- On the API Keys page, click the "Create New API Key" button.
- Provide the requested information, including the name of your application, and the redirect URI. Note that it is imperative the the redirect URI matches exactly the URI you will be using in your application.
- Upon successful registration, you'll receive a client ID and client secret. Keep these credentials secure!
3. Obtaining an Access Token
If you're using a 3rd-party library or other software, you should be able to simply plug in these values:
- Authorization Endpoint:
https://infolobby.com/api/oauth/authorize
- Token Endpoint:
https://infolobby.com/api/oauth/token
- Scope: none - you can leave this blank
- Client ID: From step 2 above
- Client Secret: From step 2 above
In more detail, to obtain an access token, you need to follow these steps:
- Authorization Request
Send users to the following authorization url:
https://infolobby.com/api/oauth/authorize
In the GET parameters, include the following:
client_id
: Your client IDredirect_uri
: Your redirect URIresponse_type
:code
state
: optional random string to prevent CSRF attacks
- User Authentication
The user logs in and authorizes your application's access request.
- Authorization Grant
If the user grants access, the authorization server redirects the user back to your specified redirect URI with the following set in the GET parameters:
code
: The authorization codestate
: The state parameter you provided in step 1
- Access Token Request
To exchange the authorization code for an access token, make a POST request to the following token endpoint:
https://infolobby.com/api/oauth/token
In the POST parameters, include the following:
grant_type
:authorization_code
code
: The authorization code you received in step 3client_id
: Your client IDclient_secret
: Your client secretredirect_uri
: Your redirect URI - must match the redirect URI you used in step 1
You will receive a JSON response containing the access token and refresh token, eg:
{
"access_token":"MTQ0NjJkZmQ5OTM2NDE1ZTZjNGZmZjI3",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"IwOGYzYTlmM2YxOTQ5MGE3YmNmMDFkNTVk",
}
4. Using the Access Token
Once you have obtained an access token, you can use it to make authorized requests to our API. Include the access token in the Authorization header of your API requests using the "Bearer" token type.
For example, to get the authorizing user's profile information, make a GET request to the following endpoint:
https://infolobby.com/api/users/me
$ curl -X GET "https://infolobby.com/api/users/me" -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
{
userId: 123,
username: 'John Smith',
emailAddress: 'john.smith@domain.com',
timezone: 'America/New_York',
locale: 'en-US'
}
5. Refreshing the Access Token
Access tokens have a limited lifespan. To obtain a new access token without requiring the user to reauthorize, use the refresh token.
Make a POST request to the following token endpoint with your client credentials:
https://infolobby.com/api/oauth/token
In the POST parameters, include the following:
grant_type
:refresh_token
refresh_token
: The refresh token you received in step 4client_id
: Your client IDclient_secret
: Your client secret
You will receive a new token reponse similar to what you received in step 4 above.