{
    "componentChunkName": "component---src-templates-article-page-template-js",
    "path": "/concepts/authentication-api/",
    "result": {"data":{"markdownRemark":{"frontmatter":{"title":"Authentication API","slug":"authentication-api","updated":"2019-11-27T00:00:00.000Z","category":"concepts-api-sdk","ingress":"Description of the Flex Authentication API and how the Marketplace API and Integration API applications use it","skills":null},"htmlAst":{"type":"root","children":[{"type":"element","tagName":"h2","properties":{"id":"authentication-api","style":"position:relative;"},"children":[{"type":"element","tagName":"a","properties":{"href":"#authentication-api","ariaLabel":"authentication api permalink","className":["anchor","before"]},"children":[{"type":"element","tagName":"svg","properties":{"ariaHidden":"true","focusable":"false","height":"16","version":"1.1","viewBox":"0 0 16 16","width":"16"},"children":[{"type":"element","tagName":"path","properties":{"fillRule":"evenodd","d":"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"},"children":[]}]}]},{"type":"text","value":"Authentication API"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"Both the\n"},{"type":"element","tagName":"a","properties":{"href":"/docs/legacy/concepts/marketplace-api-integration-api/"},"children":[{"type":"text","value":"Marketplace API and the Integration API"}]},{"type":"text","value":"\nrequire valid "},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"access tokens"}]},{"type":"text","value":" to be passed in every API request.\n"},{"type":"element","tagName":"a","properties":{"href":"/docs/legacy/concepts/applications/"},"children":[{"type":"text","value":"Applications"}]},{"type":"text","value":" obtain those access tokens from\nthe Authentication API."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"As a general rule, applications that access the Marketplace API do so by\nauthenticating an end user of the marketplace (via the user' username\nand password), while Integration API applications authenticate using\ntheir own credentials."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"In order to access Flex APIs, you need to create an "},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"Application"}]},{"type":"text","value":" in\n"},{"type":"element","tagName":"a","properties":{"href":"https://flex-console.sharetribe.com/applications","target":"_blank","rel":["noopener","noreferrer"]},"children":[{"type":"text","value":"Flex Console"}]},{"type":"text","value":". Each\nApplication has a "},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"client ID"}]},{"type":"text","value":". In addition, applications that access the\nIntegration API also have a corresponding "},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"client secret"}]},{"type":"text","value":"."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"blockquote","properties":{},"children":[{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"strong","properties":{},"children":[{"type":"text","value":"NOTE"}]},{"type":"text","value":" The easiest way to interact with both the Marketplace API and\nthe Integration API is to use our "},{"type":"element","tagName":"a","properties":{"href":"/docs/legacy/concepts/js-sdk/"},"children":[{"type":"text","value":"SDKs"}]},{"type":"text","value":". The SDKs\nhandle most of the complexity regarding authentication, access, and\nrefresh tokens. Below we discuss some of the underlying mechanisms and\nprinciples in the Authentication API."}]},{"type":"text","value":"\n"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"The Authentication API is based on the "},{"type":"element","tagName":"a","properties":{"href":"https://oauth.net/2/","target":"_blank","rel":["noopener","noreferrer"]},"children":[{"type":"text","value":"OAuth 2.0"}]},{"type":"text","value":"\nframework."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"See also the\n"},{"type":"element","tagName":"a","properties":{"href":"https://www.sharetribe.com/api-reference/authentication.html","target":"_blank","rel":["noopener","noreferrer"]},"children":[{"type":"text","value":"Authentication API reference documentation"}]}]},{"type":"text","value":"\n"},{"type":"element","tagName":"blockquote","properties":{},"children":[{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"strong","properties":{},"children":[{"type":"text","value":"IMPORTANT"}]},{"type":"text","value":" The "},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"client secret"}]},{"type":"text","value":" is a secret value that must be kept\nsafe and secure. Never expose your "},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"client secret"}]},{"type":"text","value":" publicly (e.g. in\nyour web site's HTML or JavaScript code, in your mobile app source\ncode, etc)."}]},{"type":"text","value":"\n"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"The Authentication API's main endpoint is for\n"},{"type":"element","tagName":"a","properties":{"href":"https://www.sharetribe.com/api-reference/authentication.html#issuing-tokens","target":"_blank","rel":["noopener","noreferrer"]},"children":[{"type":"text","value":"issuing tokens"}]},{"type":"text","value":".\nDepending on whether your application is accessing the Marketplace API\nor the Integration API, that endpoint requires different set of\nparameters and issues different kinds of "},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"access tokens"}]},{"type":"text","value":"."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"Applications request access tokens using several different "},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"grant\ntypes"}]},{"type":"text","value":":"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"text","value":"\n"},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"client_credentials"}]},{"type":"text","value":" grant type is used by both Marketplace API and\nIntegration API applications with some important differences:\n"},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"text","value":"\n"},{"type":"element","tagName":"li","properties":{},"children":[{"type":"text","value":"when used by Marketplace API applications, it only requires the\n"},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"client ID"}]},{"type":"text","value":" and grants "},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"anonymous access tokens"}]},{"type":"text","value":" which can be used\nwith any of the Marketplace API endpoints that provide public data\nabout the marketplace (such as the\n"},{"type":"element","tagName":"a","properties":{"href":"https://www.sharetribe.com/api-reference/marketplace.html#listings","target":"_blank","rel":["noopener","noreferrer"]},"children":[{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"/listings/"}]}]},{"type":"text","value":"\nendpoints)."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"li","properties":{},"children":[{"type":"text","value":"when used by Integration API applications, it requires both the\nclient ID and the client secret and it grants access tokens that\nprovide full access to the Integration API. It also provides a\n"},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"refresh token"}]},{"type":"text","value":" that can be used to obtain fresh access tokens later"}]},{"type":"text","value":"\n"}]},{"type":"text","value":"\n"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"password"}]},{"type":"text","value":" grant type is used only by Marketplace API applications and\nallows to authenticate the marketplace's end users via their own\n"},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"username"}]},{"type":"text","value":" and "},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"password"}]},{"type":"text","value":". It also provides Marketplace API\napplications with a "},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"refresh token"}]},{"type":"text","value":" that can be used to obtain fresh\naccess tokens and can act as the end user's session secret."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"refresh_token"}]},{"type":"text","value":" grant type is used by both Marketplace API and\nIntegration API applications and grants a fresh "},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"access token"}]},{"type":"text","value":" when\ngiven a client ID and a valid "},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"refresh token"}]},{"type":"text","value":"."}]},{"type":"text","value":"\n"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"All access tokens that the Authentication API grants are short lived\n(valid for some number of minutes). Instead of always using the main\ngrant type repeatedly (i.e. "},{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"password"}]},{"type":"text","value":" or "},{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"client_credentials"}]},{"type":"text","value":"),\nimplementations are advised to use the "},{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"refresh_token"}]},{"type":"text","value":" grant, as refresh\ntokens are typically valid for much longer period of time (days to\nmonths). This practice minimizes the risk of a long term secret to be\naccidentally exposed (e.g. user's password or Integration API\napplication's client secret)."}]}],"data":{"quirksMode":false}},"headings":[{"value":"Authentication API","depth":2}]}},"pageContext":{"slug":"authentication-api","category":"concepts-api-sdk"}},
    "staticQueryHashes": ["3794076007","439097193","717698143"]}