Implicit Flow

Use for

  • Single-Page Web Applications

Following process describes how to obtain an user's authorization to interact with the Loom AI API on the user's behalf using the OAuth2 Implicit Flow.

1. User Authentication & Request Authorization

Redirect the user to following parameterized URL to authenticate the user and request authorization for your application to interact with the Loom AI API on the user's behalf.

https://auth.loomai.com/authorize?
response_type=token&
client_id={CLIENT_ID}&
audience={AUDIENCE}&
redirect_uri={REDIRECT_URI}&
scope={SCOPE}&
state={STATE}

Parameter

Description

response_type

Set to token.

client_id

Your application's Client ID.

audience

Set to https://api.loomai.com/.

redirect_uri

The URL to which the user will be redirected after authorization has been completed (urlencoded). The access token will be appended to the URL using an url fragment (#).

scope

Whiite-space separated list of scopes you are requesting authorization for. Please refer to Authorization Scopes for more details.

state

A random alphanumeric string your client application adds to the request. The value will be included when redirecting back to your application. This is used to prevent CSRF attacks.

Request

<a href="https://auth.loomai.com/authorize?
response_type=token&
client_id={CLIENT_ID}&
audience=https://api.loomai.com/&
scope=read:avatars%20write:avatars&
redirect_uri=https://{APPLICATION_DOMAIN}/oauth/callback&
state=0xdeadbeef">
Sign In
</a>

Response

If all parameters are valid, you will receive a HTTP 302 response redirecting to your specified redirect_uri with an url fragment, encoded as query parameters, that contains the authorization result. Specifically the access_token required to use the Loom AI API as well as additional information like token lifetime, authorized scopes etc.

If authorization failed or has been denied by the user, the url fragment will contain an error parameter with further details instead.

HTTP/1.1 302 Found
Location: https://{APPLICATION_DOMAIN}/oauth/callback#
access_token=ACCESS_TOKEN&
scope=AUTHORIZED_SCOPES&
expires_in=3600&
token_type=Bearer&
state=0xdeadbeef