Authorization Code Flow

Use for

Web Applications

Following process describes how to obtain an user's authorization to interact with the Loom AI API on the user's behalf using the OAuth2 Authorization Code Flow.

1. User Authentication & Request Authorization

Redirect the user to following parameterized URL to authenticate the user and request authorization for your application to interact with the Loom AI API on the user's behalf.

https://auth.loomai.com/authorize?
  response_type=code&
  audience=https%3A%2F%2Fapi.loomai.com%2F&
  client_id={CLIENT_ID}&
  redirect_uri={REDIRECT_URI}&
  scope={SCOPE}&
  state={STATE}

Parameter

Description

response_type

Set to code.

audience

Set to https://api.loomai.com/(url-encoded).

client_id

Your application's Client ID.

redirect_uri

The URL to which the user will be redirected after authorization has been completed (url-encoded). The authorization code will be appended to the URL using the query parameter code. You must add this URL to the callback urls when registering your client application.

scope

Whiite-space separated list of scopes you are requesting authorization for. Please refer to Authorization Scopes for more details.

state

A random alphanumeric string your client application adds to the request. The value will be included when redirecting back to your application. This is used to prevent CSRF attacks.

Request

<a href="https://auth.loomai.com/authorize?
    response_type=code&
    audience=https%3A%2F%2Fapi.loomai.com%2F&
    client_id={CLIENT_ID}&
    redirect_uri=https%3A%2F%2Fapp.domain.tld%2Foauth%2Fcallback&
    scope=read:avatars%20write:avatars&
    state=0xdeadbeef">
    Sign In
</a>

Response

On success, you will receive a HTTP 302 response redirecting to your specified redirect_uri with an url query string that contains the authorization result. Specifically the authorization code required to obtain an access token as well as your state parameter.

If authorization failed or has been denied by the user, the query string will contain an error parameter with further details instead.

HTTP/1.1 302 Found
Location: https://app.domain.tld/oauth/callback?
    code={AUTHORIZATION_CODE}&
    state=0xdeadbeef

2. Exchange Authorization Code for API Access Token

The authorization code obtained in previous step can now be exchanged for an access token to authorize requests of your application to the Loom AI API.

Request

curl --request POST \
  --url 'https://auth.loomai.com/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=authorization_code \
  --data audience=https://api.loomai.com/ \
  --data code={AUTHORIZATION_CODE} \
  --data client_id={CLIENT_ID} \
  --data client_secret={CLIENT_SECRET} \
  --data redirect_uri={REDIRECT_URI}

Parameter

Description

grant_type

Set to authorization_code.

audience

Set to https://api.loomai.com/.

code

The authorization code obtained in previous step.

client_id

Your application's Client ID.

client_secret

Your application's Client Secret.

redirect_uri

Must match theredirect_uriused in previous step.

Response

If all parameters are valid, you will receive a HTTP 200 response with a JSON payload containing an access_token which you can use to authorize your application's requests to the Loom AI API, a refresh_token if you included scope offline_access in previous step as well as token_type and expiry. The access token will be valid for the amount of seconds stated by expiry. Afterwards your application will either need to re-request authorization, or renew the access token if it received a refresh token.

{
  "access_token": "eyJz93a...k4laUWw",
  "refresh_token": "GEbRxBN...edjnXbL",
  "token_type": "Bearer",
  "expiry": 3600
}

PreviousAuthentication NextAuthorization Code Flow with PKCE

Last updated 3 years ago