OAuth2
OAuth2 allows to ask a Mention user the permission to access his account using the API.
Before continuing, you will need to create an app. If you already did, you can find your existing apps here.
If you want to access your own Mention account using the API, you can skip this and use the access token provided at the bottom of your app's settings page.
Authorization is done in a few steps:
- You direct the user to the authorization page
- The user is allowed to grant you the permission to access their account, after which they are redirected to a callback URL that you have specified
- The callback receives an authorization code that can be used to obtain an access token
- You request an access token using the provided authorization code
Authorization
Authorization is initiated by directing the user to the following URL:
https://web.mention.com/authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type=code
This is usually done in a popup window. The parameters are explained in the following table:
| Parameter | Definition | Example |
|---|---|---|
| client_id | The app’s client id. This can be found in the app's settings page | 3_QIP8WdbQkSiiCmrhLRwE7GzPKk1U7eAu |
| redirect_uri | URI to redirect to. This must be prefixed by one of the callback URLs specified in the app's settings page | http://example.com |
This asks the user to grant permission to the app. Once the permission is granted, the user is redirected to the callback URL specified in the redirect_uri parameter.
The callback URL receives an authorization code in the query string, in the code parameter. It must be exchanged with an access token by making a POST request to https://web.mention.net/oauth/v2/token with the following parameters:
| Attribute | Definition | Example |
|---|---|---|
| client_id | Must be the same client_id than during the first step | 3_QIP8WdbQkSiiCmrhLRwE7GzPKk1U7eAu |
| client_secret | Can be found next to the client_id | x33qytemQZPhmhV62aaToIJIwUcqC2P1k |
| redirect_uri | OAuth2 requires this to be the same than during the first step | http://example.com |
| response_type | Must be token |
token |
| code | The authorization code received by the callback | dcf633ef1b86041e24970a06abd54ab7 |
| grant_type | Must be authorization_code |
authorization_code |
The request should be done using a POST method, with parameters in
application/x-www-form-urlencoded format. GET is also allowed, but discouraged.
The result is a JSON document containing the access token:
{
"access_token": "a1d0c6e83f027327d8461063f4ac58a6",
"token_type": "bearer",
}