Authorization Code Flow
Use for
Web Applications
Following process describes how to obtain an user's authorization to interact with the Loom AI API on the user's behalf using the OAuth2 Authorization Code Flow.
1. User Authentication & Request Authorization
Redirect the user to following parameterized URL to authenticate the user and request authorization for your application to interact with the Loom AI API on the user's behalf.
Parameter | Description |
| Set to |
| Set to |
| Your application's Client ID. |
| The URL to which the user will be redirected after authorization has been completed (url-encoded). The authorization code will be appended to the URL using the query parameter |
| Whiite-space separated list of scopes you are requesting authorization for. Please refer to Authorization Scopes for more details. |
| A random alphanumeric string your client application adds to the request. The value will be included when redirecting back to your application. This is used to prevent CSRF attacks. |
Request
Response
On success, you will receive a HTTP 302 response redirecting to your specified redirect_uri
with an url query string that contains the authorization result. Specifically the authorization code
required to obtain an access token as well as your state
parameter.
If authorization failed or has been denied by the user, the query string will contain an error parameter with further details instead.
2. Exchange Authorization Code for API Access Token
The authorization code obtained in previous step can now be exchanged for an access token to authorize requests of your application to the Loom AI API.
Request
Parameter | Description |
| Set to |
| Set to |
| The authorization code obtained in previous step. |
| Your application's Client ID. |
| Your application's Client Secret. |
| Must match the |
Response
If all parameters are valid, you will receive a HTTP 200 response with a JSON payload containing an access_token
which you can use to authorize your application's requests to the Loom AI API, a refresh_token
if you included scope offline_access
in previous step as well as token_type
and expiry
. The access token will be valid for the amount of seconds stated by expiry
. Afterwards your application will either need to re-request authorization, or renew the access token if it received a refresh token.
Last updated