- authorization_code: a secret code that is valid for 1 year. Required to obtain an access_token.
- access_token: a secret token that allows you to perform actions on behalf of a user. Valid for 30 minutes.
- Obtain a temporary special use login url via the /oauth2/requestCode resource
- Direct the end user to the temporary login_uri location that is returned from the /oauth2/requestCode endpoint via a pop-up window (or iFrame, but we recommend a pop-up window).
- Once the end user has authorized your application to access their account, the end user will be redirected to your callback_uri that you specified in Step #1. A query (GET) parameter will be added to the end of your callback_uri containing one or more authorization_codes. Each authorization_code corresponds to a unique affiliation they have within the system. If multiple authorization_codes are issued, the authorization_codes query parameter will be comma separated.
- Securely store and save the authorization_codes. These codes are valid for 1 year and will be required to continue to access the user's account without needing to login again until the codes have expired (1 year).
- When you're ready to make an API call on behalf of the user, use the /oauth2/requestToken resource to exchange the authorization_code for an access_token. Access tokens are valid for 30 minutes. When an access token has expires, you will need to obtain a new access_token using the same authorization_code from Step #3 using the /oauth2/requestToken resource.
- Securely and temporarily store the access_token and complete your desired API calls using the new token.
- After your authorization_code has expired (1 year), you'll need to start over again from Step #1 to continue acting on behalf of the user.
API Authorization Page: