OAuth 2.0 Authentication

This is also known as the “Implicit Grant” authorization flow.

For this authentication type you only need:

  • Client Id: the ID of the application you create on the API’s website. You can create your Spotify applications here for example.
  • Endpoint: a URL that is used to perform the authentication.  In Spotify’s case you can check that url in the Implicit Grant Flow section of their authorization guide: https://accounts.spotify.com/authorize
  • Scopes: a list of strings that represent what the application will be able to access on behalf of the signed-in user. For example, if a Spotify application wants to modify user’s private playlists, it’ll need to ask for the playlist-modify-private scope as seen here. You should probably just add all available scopes to cover for all the possible things an API can do.

When this authentication type is used, an authorization header will be added to each request made to the API. This token represents the permission that the user gave the application to act on her/his behalf.


Spotify Web API

Dropbox – In this example the “Implicit Grant” flow is referenced as “OAuth 2 on the web

Instagram – In this example the API requires each request to have a special parameter added to the URL with the token gotten from the “Implicit Grant” flow. It needs the “access_token” parameter to be added to each request. Because of this you need to set the “Query Parameter” field in the API definition in AutoWeb (under OAuth2 specific) to “access_token”.