oauth

Generate and manage OAuth tokens.

get
Authorize a user

https://CounterSocial.example/oauth/authorize

Displays an authorization form to the user. If approved, it will create and return an authorization code, then redirect to the desired redirect_uri, or show the authorization code if urn:ietf:wg:oauth:2.0:oob was requested. The authorization code can be used while requesting a token to obtain access to user-level methods.

Request

Form Data Parameters
response_type
required
string
Should be set equal to code.
client_id
required
string
Client ID, obtained during app registration.
redirect_uri
required
string
Set a URI to redirect the user to. If this parameter is set to urn:ietf:wg:oauth:2.0:oob then the authorization code will be shown instead. Must match one of the redirect URIs declared during app registration.
scope
optional
string
List of requested OAuth scopes, separated by spaces (or by pluses, if using query parameters). Must be a subset of scopes declared during app registration. If not provided, defaults to read.
force_login
optional
bool
Added in 2.6.0. Forces the user to re-login, which is necessary for authorizing with multiple accounts from the same instance.

Response

200: Success

The authorization code will be returned as a query parameter named code.

redirect_uri?code=qDFUEaYrRK5c-HNmTCJbAzazwLRInJ7VHFat0wcMgCU

400:

If the authorization code is incorrect or has been used already, the request will fail.

{
  "error": "invalid_grant",
  "error_description": "The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
}

post
Obtain a token

https://CounterSocial.example/oauth/token

Returns an access token, to be used during API calls that are not public.

Request

Form Data Parameters
grant_type
required
string
Set equal to authorization_code if code is provided in order to gain user-level access. Otherwise, set equal to client_credentials to obtain app-level access only.
client_id
required
string
Client ID, obtained during app registration
client_secret
required
string
Client secret, obtained during app registration
redirect_uri
required
string
Set a URI to redirect the user to. If this parameter is set to urn:ietf:wg:oauth:2.0:oob then the token will be shown instead. Must match one of the redirect URIs declared during app registration.
scope
optional
string
List of requested OAuth scopes, separated by spaces. Must be a subset of scopes declared during app registration. If not provided, defaults to read.
code
optional
string
A user authorization code, obtained via /oauth/authorize

Response

200: Success

Store this access_token for later use with auth-required methods. The token should be passed as an HTTP Authorization header when making API calls, with the value Bearer access_token

{
  "access_token": "ZA-Yj3aBD8U8Cm7lKUp-lm9O9BmDgdhHzDeqsY8tlL0",
  "token_type": "Bearer",
  "scope": "read write follow push",
  "created_at": 1573979017
}

400:

If you try to request a scope that was not included when registering the app, the request will fail.

{
  "error": "invalid_scope",
  "error_description": "The requested scope is invalid, unknown, or malformed."
}

401: Unauthorized

If client_id and client_secret do not match or are invalid, the request will fail.

{
  "error": "invalid_client",
  "error_description": "Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method."
}

post
Revoke token

https://CounterSocial.example/oauth/revoke

Revoke an access token to make it no longer valid for use.

Request

Form Data Parameters
client_id
required
string
Client ID, obtained during app registration
client_secret
required
string
Client secret, obtained during app registration
token
required
string
The previously obtained token, to be invalidated

Response

200: Success

If you own the provided token, the API call will provide an empty response. This operation is idempotent, so calling this API multiple times will still return OK.

{}

403: Forbidden

If you provide a token you do not own, or no token at all, the API call will return a 403 error.

{
  "error": "unauthorized_client",
  "error_description": "You are not authorized to revoke this token"
}

Last updated September 13, 2021 ?? Improve this page