# Authorization Code Flow
Use for
* Web Applications
Following process describes how to obtain an user's authorization to interact with the Loom AI API on the user's behalf using the [OAuth2 Authorization Code Flow](https://oauth.net/2/grant-types/authorization-code/).
### 1. User Authentication & Request Authorization
Redirect the user to following parameterized URL to authenticate the user and request authorization for your application to interact with the Loom AI API on the user's behalf.
```http
https://auth.loomai.com/authorize?
response_type=code&
audience=https%3A%2F%2Fapi.loomai.com%2F&
client_id={CLIENT_ID}&
redirect_uri={REDIRECT_URI}&
scope={SCOPE}&
state={STATE}
```
| Parameter | Description |
| --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `response_type` | Set to `code`. |
| `audience` | Set to `https://api.loomai.com/`(url-encoded). |
| `client_id` | Your application's [Client ID](/guides/api-credentials.md). |
| `redirect_uri` | The URL to which the user will be redirected after authorization has been completed (url-encoded). The authorization code will be appended to the URL using the query parameter `code`. You must add this URL to the callback urls when [registering your client application](/guides/api-credentials.md). |
| `scope` | Whiite-space separated list of scopes you are requesting authorization for. Please refer to [Authorization Scopes](/api/schema/scope.md#authorization-scopes) for more details. |
| `state` | A random alphanumeric string your client application adds to the request. The value will be included when redirecting back to your application. This is used to prevent [CSRF attacks](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29). |
#### Request
```markup
Sign In
```
#### Response
On success, you will receive a HTTP 302 response redirecting to your specified `redirect_uri` with an url query string that contains the authorization result. Specifically the authorization `code` required to obtain an access token as well as your `state` parameter.
If authorization failed or has been denied by the user, the query string will contain an error parameter with further details instead.
```http
HTTP/1.1 302 Found
Location: https://app.domain.tld/oauth/callback?
code={AUTHORIZATION_CODE}&
state=0xdeadbeef
```
### 2. Exchange Authorization Code for API Access Token
The authorization code obtained in previous step can now be exchanged for an access token to authorize requests of your application to the Loom AI API.
#### Request
```bash
curl --request POST \
--url 'https://auth.loomai.com/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=authorization_code \
--data audience=https://api.loomai.com/ \
--data code={AUTHORIZATION_CODE} \
--data client_id={CLIENT_ID} \
--data client_secret={CLIENT_SECRET} \
--data redirect_uri={REDIRECT_URI}
```
| Parameter | Description |
| --------------- | --------------------------------------------------------------- |
| `grant_type` | Set to `authorization_code`. |
| `audience` | Set to `https://api.loomai.com/`. |
| `code` | The authorization code obtained in previous step. |
| `client_id` | Your application's [Client ID](/guides/api-credentials.md). |
| `client_secret` | Your application's [Client Secret](/guides/api-credentials.md). |
| `redirect_uri` | Must match the`redirect_uri`used in previous step. |
#### Response
If all parameters are valid, you will receive a HTTP 200 response with a JSON payload containing an `access_token` which you can use to authorize your application's requests to the Loom AI API, a `refresh_token` if you included scope `offline_access` in previous step as well as `token_type` and `expiry`. The access token will be valid for the amount of seconds stated by `expiry`. Afterwards your application will either need to re-request authorization, or renew the access token if it received a refresh token.
```python
{
"access_token": "eyJz93a...k4laUWw",
"refresh_token": "GEbRxBN...edjnXbL",
"token_type": "Bearer",
"expiry": 3600
}
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.loomai.com/api/authentication/authorization-code-flow-1.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.