Authentication Web Flows

Setup

Client-side flow is generally used for Javascript and other situations where the code could be inspected by a 3rd party, and they could see your client_secret.

If you are working with mobile clients, or otherwise are embedding the web page in the app, you may want to add &simple_login=1 to your endpoint URI, which removes the navigation and extraneous links from the authorization page.

To start, set at least one redirect URI in the developer area for your client. This restricts what server or app can receive the access token at the end of the process.

Server-side flow

Start by making this GET call:

https://pnut.io/oauth/authenticate
  ?client_id=[client ID]
  &redirect_uri=[redirect URI]
  &scope=[comma-delimited scopes]
  &response_type=code

To always prompt the user for authorization of scopes, even if they already have, use the https://pnut.io/oauth/authorize endpoint instead.

This will direct the user to a page to authorize your client for the given scopes. If they approve, it will redirect them to your redirect URI with /?code=[CODE] appended.

If the user decides not to authorize your client, they will be redirected to your redirect URI with /?error_message=resource+owner+denied+your+app+access&error=access_denied appended.

Now make a POST call with what you now have in the URL-encoded body (with a Content-Type of application/x-www-form-urlencoded):

curl "https://test-api4.pnut.io/v1/oauth/access_token" \
-d "client_id=${CLIENT_ID}" \
-d "client_secret=${CLIENT_SECRET}" \
-d "code=${CODE}" \
-d "redirect_uri=${REDIRECT_URI}" \
-d "grant_type=authorization_code" \
-X POST

A JSON response will be returned in the form of:

{"access_token":ACCESS_TOKEN, "token":{"...Token object..."}, "user_id":USER_ID, "username":USERNAME}

Client-side flow

Start with this GET:

https://pnut.io/oauth/authenticate
  ?client_id=[client ID]
  &redirect_uri=[redirect URI]
  &scope=[comma-delimited scopes]
  &response_type=token

To always prompt the user for authorization of scopes, even if they already have, use the https://pnut.io/oauth/authorize endpoint instead.

This will direct the user to an authorization page just like the server-side flow. If they approve the scopes for your client, they will be redirected to your redirect URI with /#access_token=[token] appended.

If the user decides not to authorize your client, they will be redirected to your redirect URI with /#error_message=resource+owner+denied+your+app+access&error=access_denied appended.