The OAuth 2.0 specification defines five methods (known as grant types) that an API client can use to request an access token. The method your application will use largely depends on the following three factors:
- Required access level.
- User-level: API authorization is delegated to your application by a marketplace end user so that your application can make API requests as if they were the user.
- System-level: API authorization is delegated to your application directly, not on behalf of an end user.
- Ability to keep a client secret secure.
- Access to an end user's login credentials (username and password).
Use the following table to determine which type of grant type is appropriate for your client.
|Grant type||Access level required||Client can secure client secret||Access to user credentials||Supports refresh token||Sample use case|
|Authorization Code||user||yes||no||yes||Web server application, Native application (with PKCE)|
|Password||user||yes||yes||yes||Trusted web server applications that require direct login|
|Client credentials||system||no||no||no||System-to-system integrations|
For some end-user flows (Authorization Code and Password), you can use the optional Refresh Token grant type to automatically obtain a new access token after the current token expires. If you do not use a Refresh Token, the user has to re-authenticate for the API client to acquire a new access token to replace the expired one.
Was this page helpful?
Tell us more…
Help us improve our content. Responses are anonymous.
We appreciate your feedback!