An overview of using OAuth2 with Metafy
URL | Description |
---|---|
https://metafy.gg/auth/authorize | Authorize URL |
https://metafy.gg/irk/oauth/token | Token URL |
https://metafy.gg/irk/oauth/revoke | Token Revocation URL |
client_id
and client_secret
from the application settings.state
parameter is a security feature that helps prevent these attacks by adding a unique token to the OAuth2 flow.
When the user is redirected back to your application, you should verify that the state
parameter matches the value you provided in the initial request.
While Metafy does not require the use of the state
parameter, we recommend using it.
client_id
is your OAuth application’s client id. scope
is a list of scopes separated by url encoded spaces (%20
). redirect_uri
is the URL
you provided when creating your OAuth application, url-encoded. state
is the unique string mentioned in State and Security.
When someone navigates to this URL, they will be prompted to authorize your application for the requested scoeps. On acceptance, they will be redirected to your
redirect_uri
, which will contain an additional query parameter code
that you can exchange for an access token. state
will also be returned if you included
it in your original request and should be validated at this point.
code
is now exchanged for the account’s access token by making a POST
request to the token URL with the following parameters:
grant_type
- must be set to authorization_code
code
- the authorization code provided to your redirectredirect_uri
- The URL you provided when creating your OAuth applicationclient_id
- your oauth application’s client_id
client_secret
- your oauth application’s client_secret
expires_in
is how long, in seconds, until the returned access token expires, allowing you to anticipate the expiration and refresh the token. To refresh, make
another POST
request to the token URL with the following parameters:
grant_type
- must be set to refresh_token
refresh_token
- the refresh token provided in the access token responseclient_id
- your oauth application’s client_id
client_secret
- your oauth application’s client_secret
POST
request to the token revocation URL with the following parameters:
token
- the access or refresh token to revoketoken_type_hint
(optional) - set to access_token
or refresh_token
client_id
- your oauth application’s client_id
client_secret
- your oauth application’s client_secret
POST
request to the token URL with
a grant type of client_credentials
, you will be returned an access token for the application owner.
You can specify scopes with the scope
parameter.
refresh_token
when using the client credentials flow.