Authorization Code Flow with PKCE
Use for
Mobile Applications
Native Applications
Following process describes how to obtain an user's authorization to interact with the Loom AI API on the user's behalf using the OAuth2 Authorization Code Flow with Proof Key for Code Exchange.
1. Generate Code Challenge & Verifier
PKCE is an extension for the Authorization Code Flow protecting against 3rd parties hijacking your application's authorization request by validating that the token exchange request is originating from the same client that initiated authorization.
This works by generating a secret (code verifier) and appending a hash thereof (code challenge) to the authorization request. The code verifier is subsequently being appended to the token exchange request, allowing the authorization server to compare it to the previously received code challenge.
Now lets walk through the steps. Start by generating the code verifier and hash it to obtain a code challenge.
2. User Authentication & Request Authorization
Redirect the user to following parameterized URL to authenticate the user and request authorization for your application to interact with the Loom AI API on the user's behalf.
Request
Response
On success, you will receive a HTTP 302 response redirecting to your specified redirect_uri
with an url query string that contains the authorization result. Specifically the authorization code
required to obtain an access token as well as your state
parameter.
If authorization failed or has been denied by the user, the query string will contain an error parameter with further details instead.
3. Exchange Authorization Code for API Access Token
The authorization code obtained in previous step can now be exchanged for an access token to authorize requests of your application to the Loom AI API.
Request
Response
If all parameters are valid, you will receive a HTTP 200 response with a JSON payload containing an access_token
which you can use to authorize your application's requests to the Loom AI API, a refresh_token
if you included scope offline_access
in previous step as well as token_type
and expiry
. The access token will be valid for the amount of seconds stated by expiry
. Afterwards your application will either need to re-request authorization, or renew the access token if it received a refresh token.
Last updated