Call Your API Using the Authorization Code Flow

This guide helps you call your API using the Authorization Code Flow, a secure and commonly used method for server-side applications to obtain Access Tokens.

Steps to Use the Authorization Code Flow

1. Contact the UPBOND Team

Before beginning, provide the following details to the UPBOND team to configure your API and application:

  • API name and description.

  • Application type (e.g., Regular Web App).

  • Allowed Callback URLs (e.g., https://yourApp/callback).

  • Required grant types (e.g., authorization_code and refresh_token for token renewal).

The UPBOND team will:

  • Register your API and application in Login 3.0.

  • Configure scopes, permissions, and grant types as needed.

2. Redirect the User for Authorization

Send the user to the authorization endpoint to obtain an authorization code. Use the following URL structure:

https://{yourDomain}/authorize?response_type=code&client_id={yourClientId}&redirect_uri={yourRedirectUri}&scope={requestedScopes}

Parameters:

  • response_type=code: Specifies the Authorization Code Flow.

  • client_id: The unique identifier for your application.

  • redirect_uri: The callback URL configured in Login 3.0.

  • scope: The requested access scopes (e.g., openid profile email).

3. Exchange the Authorization Code for Tokens

Use the /oauth/token endpoint to exchange the authorization code for an access token. Make a POST request with the following parameters:

curl --request POST \\
  --url 'https://{yourDomain}/oauth/token' \\
  --header 'content-type: application/json' \\
  --data '{
    "grant_type": "authorization_code",
    "client_id": "{yourClientId}",
    "client_secret": "{yourClientSecret}",
    "code": "{authorizationCode}",
    "redirect_uri": "{yourRedirectUri}"
  }'

Response:

  • Access Token: Used to call your API.

  • ID Token: Contains user profile information.

  • Refresh Token (optional): Used to obtain new tokens.

4. Call Your API with the Access Token

Include the access token in the Authorization header when making API requests:

curl --request GET \\
  --url 'https://{yourApi}/endpoint' \\
  --header 'Authorization: Bearer {accessToken}'

5. Handle Token Expiration (Optional)

If your application uses refresh tokens, you can obtain new tokens without requiring user interaction. Contact the UPBOND team to configure token expiration settings and refresh token policies.

PreviousAdd Login Using the Authorization Code FlowNextAuthorization Code Flow with Proof Key for Code Exchange

Last updated

Was this helpful?