title: oauth API methods description: Generate and manage OAuth tokens. menu: docs:
weight: 10
name: oauth
parent: methods-apps
identifier: methods-oauth
aliases: [ "/methods/oauth", "/api/methods/oauth", "/methods/apps/oauth",
GET /oauth/authorize HTTP/1.1
Displays an authorization form to the user. If approved, it will create and return an authorization code, then redirect to the desired redirect_uri
, or show the authorization code if urn:ietf:wg:oauth:2.0:oob
was requested. The authorization code can be used while requesting a token to obtain access to user-level methods.
Returns: String (URL) or HTML response\
OAuth: Public\
Version history:\
0.1.0 - added\
2.6.0 - added force_login
\
3.5.0 - added lang
response_type
: {{}} String. Should be set equal to code
.
client_id : {{}} String. The client ID, obtained during app registration.
redirect_uri
: {{}} String. Set a URI to redirect the user to. If this parameter is set to urn:ietf:wg:oauth:2.0:oob
then the authorization code will be shown instead. Must match one of the redirect_uris
declared during app registration.
scope
: String. List of requested OAuth scopes, separated by spaces (or by pluses, if using query parameters). Must be a subset of scopes
declared during app registration. If not provided, defaults to read
.
force_login : Boolean. Forces the user to re-login, which is necessary for authorizing with multiple accounts from the same instance.
lang : String. The ISO 639-1 two-letter language code to use while rendering the authorization form.
The authorization code will be returned as a query parameter named code
.
redirect_uri?code=qDFUEaYrRK5c-HNmTCJbAzazwLRInJ7VHFat0wcMgCU
If the authorization code is incorrect or has been used already, the request will fail.
{
"error": "invalid_grant",
"error_description": "The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
}
POST /oauth/token HTTP/1.1
Obtain an access token, to be used during API calls that are not public.
Returns: Token\ OAuth: Public\ Version history:\ 0.1.0 - added
grant_type
: {{}} String. Set equal to authorization_code
if code
is provided in order to gain user-level access. Otherwise, set equal to client_credentials
to obtain app-level access only.
code : String. A user authorization code, obtained via GET /oauth/authorize.
client_id : {{}} String. The client ID, obtained during app registration.
client_secret : {{}} String. The client secret, obtained during app registration.
redirect_uri
: {{}} String. Set a URI to redirect the user to. If this parameter is set to urn:ietf:wg:oauth:2.0:oob then the token will be shown instead. Must match one of the redirect_uris
declared during app registration.
scope
: String. List of requested OAuth scopes, separated by spaces (or by pluses, if using query parameters). If code
was provided, then this must be equal to the scope
requested from the user. Otherwise, it must be a subset of scopes
declared during app registration. If not provided, defaults to read
.
Store this access_token for later use with auth-required methods. The token should be passed as an HTTP Authorization
header when making API calls, with the value Bearer access_token
{
"access_token": "ZA-Yj3aBD8U8Cm7lKUp-lm9O9BmDgdhHzDeqsY8tlL0",
"token_type": "Bearer",
"scope": "read write follow push",
"created_at": 1573979017
}
If you try to request a scope that was not included when registering the app, the request will fail.
{
"error": "invalid_scope",
"error_description": "The requested scope is invalid, unknown, or malformed."
}
If client_id and client_secret do not match or are invalid, the request will fail.
{
"error": "invalid_client",
"error_description": "Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method."
}
POST /oauth/revoke HTTP/1.1
Revoke an access token to make it no longer valid for use.
Returns: Empty\ OAuth: Public\ Version history:\ x.x.x - added
client_id : {{}} String. The client ID, obtained during app registration.
client_secret : {{}} String. The client secret, obtained during app registration.
token : {{}} String. The previously obtained token, to be invalidated.
If you own the provided token, the API call will provide an empty response. This operation is idempotent, so calling this API multiple times will still return OK.
{}
If you provide a token you do not own, or no token at all, the API call will return a 403 error.
{
"error": "unauthorized_client",
"error_description": "You are not authorized to revoke this token"
}
{{< page-relref ref="methods/apps#create" caption="POST /api/v1/apps" >}}
{{< caption-link url="https://github.com/mastodon/mastodon/blob/main/app/controllers/oauth/authorizations_controller.rb" caption="app/controllers/oauth/authorizations_controller.rb" >}}
{{< caption-link url="https://github.com/mastodon/mastodon/blob/main/app/controllers/oauth/authorized_applications_controller.rb" caption="app/controllers/oauth/authorized_applications_controller.rb" >}}
{{< caption-link url="https://github.com/mastodon/mastodon/blob/main/app/controllers/oauth/tokens_controller.rb" caption="app/controllers/oauth/tokens_controller.rb" >}}