Implicit Flow

Authorize

GET <https://auth3.upbond.io/authorize>?
  audience=API_IDENTIFIER&
  scope=SCOPE&
  response_type=token|id_token|id_token token&
  client_id=YOUR_CLIENT_ID&
  redirect_uri=YOUR_REDIRECT_URI&
  state=STATE&
  nonce=NONCE

RESPONSE SAMPLE

HTTP/1.1 302 Found
Location: YOUR_REDIRECT_URI#access_token=TOKEN&state=STATE&token_type=TYPE&expires_in=SECONDS

This is the OAuth 2.0 grant that web apps utilize to access an API.

Request Parameters

Parameter	Description
audience	The unique identifier of the target API you want to access.
scope	The scopes you want to request authorization for. These must be separated by a space. You can request standard OpenID Connect (OIDC) scopes (e.g., profile, email) or any scopes supported by the target API (e.g., read:contacts).
response_type Required	Specifies the type of token you will receive. Use token for an Access Token, id_token for an ID Token, or id_token token for both.
client_id Required	Your application's Client ID.
state Recommended	An opaque value added to the request to prevent CSRF attacks.
redirect_uri	The URL to which Login 3.0 will redirect the browser after authorization is granted.
nonce Recommended	A string included in the ID Token to prevent replay attacks. Required for response_type=id_token token.

Remarks

• The redirect_uri must match a valid callback URL configured for your application.

• If response_type=token, the user's authentication redirects them to your application's callback URL with the access_token.

• The Implicit Flow does not support Refresh Tokens. For refreshing tokens without user interaction, use Silent Authentication.

• The profile information returned in the token follows the structured claim format defined by the OIDC specification. Custom claims must conform to a namespaced format to avoid collisions with standard OIDC claims.

• Silent Authentication can retrieve a new Access Token when the user's session is still valid, without requiring interaction.