client_id
is used to identify your client application. After you register a client application, you'll find the client_id
in the list of client applications in the workspace settings panel.client_secret
is generated in the client applications section of awork. It is located next to the client_id
on the workspace settings page. The secret will be used to authenticate your client application when you request a token.offline_access
: continued access, issues a refresh token.Access Token
is used to authenticate yourself within the API resources. It needs to be included in every request to the API. Each user has to use their own unique Access Token
, since such tokens are only valid with the associated user. Also, Access Tokens are valid for one workspace only. If the client application wants to access multiple workspaces, it needs to request separate tokens. The token is usually valid for only a few days.Refresh Token
is used to get a new Access Token
once that one has expired. A Refresh Token
only expires when the user manually revokes access for the client application.Authorization Code
is a transitory code used to retrieve an Access Token
. It should not be stored in the client application.Access Token
and exchange a Refresh Token
for a new Access Token
:Authorization Endpoint:
/accounts/authorize
may be used to initially retrieve an Authorization Code.Token Endpoint:
/accounts/token
may be used to retrieve an Access Token from either an Authorization Code or a Refresh Token.application/x-www-form-urlencoded
format. The client directs the user to the constructed URI using a browser window. The user is prompted to log in, enter her or his username and password, and grant the requested permissions to the client application. If the user is part of several workspaces in awork, the user needs to select the workspace before authorizing the application.client_id
: The client Id of the client application - Required.redirect_uri
: The user will be redirected to a custom URI after the access was granted. Needs to be the same as specified when registering the client application - Required.scope
: A space-separated list of API scopes - Required.state
: An arbitrary state string that helps the client application to identify the request - Optional.redirect_uri
) may be properly URL-encoded.application/x-www-form-urlencoded
format.redirect_uri
: The previously specified redirect URI.code
: The authentication code that can be exchanged for a token later.state
: The same arbitrary state string that the client application passed in the authorization request earlier.302 Found{redirect_uri}?code={code}&state={state}
application/x-www-form-urlencoded
format.code
: The code that was received in the previous authorization response. Required.redirect_uri
: The previously specified redirect URI. Required.client_id
: The client Id of the client application. Required.client_secret
: The client secret of the client application. Required.client_id
and client_secret
using Base64, and add it to the Authorization
header as follows: Authorization: Basic Base64({AppId}:{AppSecret})
redirect_uri
) should be properly URL-encoded.