Guides & Tutorials

Client-side apps that cannot securely store secrets (OAuth2 Implicit Flow)

Suggest Edits

Is this the right flow for you?

Before you get started, let's make sure this is the right approach for you. Learn more at: How should I authenticate?

Let's get started

All apps need to be registered first

A registered OAuth application is assigned a unique Client ID and Client Secret. The Client Secret should not be shared.

The code below will show the basic actions required to complete the OAuth2 Implicit Flow. There are libraries for most languages that make generating the redirect URLs and posting back for the token very easy. Here are a few: Ruby, PHP, .NET

1. Redirect users to Reverb to request access.

Your app should provide a button with the title "Login with Reverb.com" or similar. This button should link to the following url:

https://reverb.com/oauth/authorize?client_id=[your-client-id]&redirect_uri=[your-callback-url]&response_type=token&scope=read_listings+write_listings

Explanation of params:

Param Name

Type

Description

client_id

string

Required. The client ID is a unique id assigned to your application when you register it with Reverb. View your ClientID at https://reverb.com/my/api_settings by clicking the details link for your app.

redirect_uri

string

Required. The URL where Reverb will redirect once the user authorizes your app. This should look something like https://yourdomain.com/auth/reverb/success

scope

string

Optional. A list of oauth scopes that your application requires on the user's behalf. The list is delimited by spaces, which is URI encoded as +. For example, an app that wants to read the user's listings and update them should use the scope: read_listings+write_listings. By default you will only get read access to the user's information.

List of all OAuth Scopes

response_type

string

Required. Should be set to token.

state

string

Optional. This parameter will be delivered back to you during the redirect. You should use this to set a randomly generated unguessable string so that you can validate the request for additional security in step 3.

2. User authorizes application

The user will be presented with a screen that looks similar to this:

12841284

3. User is redirected back to your redirect_uri with a token

The user's browser will be redirected back to your site with a your oauth code. The url will look something like this:

https://yoursite.com/auth/reverb/success#access_token=12345abcdefg&state=yourstate

If you supplied a state parameter in step 1, this is a good time to validate that the state you got back is the same as you requested. If it's not, the request originated with a third party and should be ignored. Read more about CSRF protection with the state parameter.

5. Use the token in subsequent requests to Reverb

Now you should set your client's headers to contain the given token in the Authorization header in every API request you make, using the OAuth Bearer token format:

curl -XGET https://api.reverb.com/api/some/thing -H "Authorization: Bearer [your token]"

Updated about 2 months ago