Authentication and Authorization

Clients will need to invoke /authorize to complete the authentication and authorization flow. If this has been completed successfully, the client will have received a code which it can use with /token to retrieve an access_token and a refresh_token if it is available.

1. Start an authentication and authorization flow by directing the browser to /authorize. Be sure to specify the correct redirect_uri for the client.
2. The authentication and authorization flow ends by calling the redirect_uri for the client with either a code or error.
3. Use the received code with /token to obtain an access token and refresh token if available.

Access tokens are typically short-lived, lasting only minutes, hours, or days. Refresh tokens are typically much longer-lived. After the initial token acquisition, if a client has a refresh token it may use it to acquire new access and refresh tokens when the access token expires. Refresh tokens may be used only once.

1. If the access token has expired and a refresh token is available to the client, use /token with the refresh token to get new access and refresh tokens. A refresh token may only be used once.
2. Call the resource server with the access token. The access token is sent to the resource server as an HTTP Authorization header prefixed by the text Bearer.