For most of the API calls, you will need to pass an access_token. There are two ways to get an access token. The first and preferred way is by using an authorization code. By using the auth code your app will get a long lived token that can be refreshed. The second way is by using implicit grant and gives a short lived token.

Passing the token

Prefered way

Pass the token in the header


curl -XGET -H 'Authorization: Bearer [access_token]' ''

Query parameter


You can also query the API including the access_token as a query parameter


curl -XGET -H '[access_token]'

Authorization Code

They are granted by using response_type = code.

Long lived token

Access tokens granted by this mean are long lived token. They expire after 1 year.

After user allowed your site, we will redirect back the user to your redirect_uri with additional query parameter:

  • code, the grant code
  • state, the state you pass to prevent Cross Site Scripting (optional, null by default)
Location: "[code]&state=[state]"

Single Use

The authorization code can only be used a single time.

The code you retrieve is not the access_token but an intermediate code to get the real access_token

In order to get a real access_token your server needs to request it.

Server to server request

Request only the access token from your server. The end-user must not know the value of the access_token_

The request must be done via HTTP Method POST


curl -XPOST '' -d 'grant_type=authorization_code' -d 'client_id=[APP_ID]' -d 'client_secret=[APP_SECRET]' -d 'code=[code]'

The response should be a JSON :


Implicit Grant

They are granted by using response_type = token.

Short lived token

Access tokens granted by this mean are short lived token. They expire after 6 hours.

Security and support

Due to many security concerns, using these tokens are not recommended.
Some API will not work using short lived access token.

After a user has granted permissions to your app, we will redirect them back using the redirect_uri. Otherwise, using the JS interface, a callback can be used to get the token without redirects.

The redirect will return the following parameters:

  • access_token, the access_token
  • expires_in, number of seconds before the token expires
  • token_type, the type of the token (Bearer by default)
Location: "[access_token]&expires_in=21600&token_type=bearer"

For more details about the OAuth protocol, see the specification  OAuth 2.0  rfc6749