# OAuth2
In order to create transactions or execute users' scoped endpoints a partner must be authorized by the user. The partner is automatically authorized if he created a user's account via API, if not the partner must obtain user's authorization. The authorization is done via redirecting a user to XanPool website where he is prompted to authorize the partner. After granting permissions the user is redirected back to the partner's website with the authorization code.
# Authorization page
Page
https://xanpool.com/authorize?clientId={API_KEY}&redirectUrl={PAGE AFTER SUCCESSFUL AUTHORIZATION}
To initiate authorization users must be redirected to the authorization page. On this page a user is prompted to authorize partner's account. After successful authorization users are redirected to a redirectUrl containing authorizationCode (i.e. https://okex.com/success?authorizationCode=1xseh1j2u91nb12gsna1). If the user didn't grant the permissions, url will contain error=rejected.
# Authorization Code Exchange
This endpoint exchanges authorizationCode received from the previous step for a user scoped accessToken. Access token is valid for 30 days.
Endpoint
POST https://xanpool.com/api/oauth2/token
Payload attributes
| Parameter | Description |
|---|---|
| code | The code from the previous step |
Response
| Parameter | Description |
|---|---|
| accessToken | User scoped token |
| expiresAt | Timestamp of when the accessToken expires |
Request Example
curl "https://xanpool.com/api/oauth2/token"
-X POST
-H "Content-Type: application/json"
-u {API_KEY}:{API_SECRET}
-d '{"code":"1xseh1j2u91nb12gsna1"}'
Response
{
"accessToken": "1e1e1dad4b5b685900124e87121dad41e1dad4b5b685900124e8712b5b685900124e8711e1dad4b5b685900124e87122",
"expiresAt": 1588824540
}
# OAuth2 token from server
In case you already have access to user's account, you can avoid redirecting a user to XanPool website. Please use this endpoint to get a user-scoped token.
Endpoint
POST https://xanpool.com/api/oauth2/user-token
Payload attributes
| Parameter | Description |
|---|---|
| userId | User that has granted permissions to the 3rd party app |
Response
| Parameter | Description |
|---|---|
| accessToken | User scoped token |
| expiresAt | Timestamp of when the accessToken expires |
Request Example
curl "https://xanpool.com/api/oauth2/user-token"
-X POST
-H "Content-Type: application/json"
-u {API_KEY}:{API_SECRET}
-d '{"userId":"5a738a2385c9de629f112c72"}'
Response
{
"accessToken": "1e1e1dad4b5b685900124e87121dad41e1dad4b5b685900124e8712b5b685900124e8711e1dad4b5b685900124e87122",
"expiresAt": 1588824540
}
← Authentication Users →