OAuth2

OAuth2 allows to ask a Mention user the permission to access his account using the API.

Before continuing, you will need to create an app. If you already did, you can find your existing apps here.

If you want to access your own Mention account using the API, you can skip this and use the access token provided at the bottom of your app's settings page.

Authorization is done in a few steps:

  1. You direct the user to the authorization page
  2. The user is allowed to grant you the permission to access their account, after which they are redirected to a callback URL that you have specified
  3. The callback receives an authorization code that can be used to obtain an access token
  4. You request an access token using the provided authorization code

Authorization

Authorization is initiated by directing the user to the following URL:

https://web.mention.com/authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type=code

This is usually done in a popup window. The parameters are explained in the following table:

Parameter Definition Example
client_id The app’s client id. This can be found in the app's settings page 3_QIP8WdbQkSiiCmrhLRwE7GzPKk1U7eAu
redirect_uri URI to redirect to. This must be prefixed by one of the callback URLs specified in the app's settings page http://example.com

This asks the user to grant permission to the app. Once the permission is granted, the user is redirected to the callback URL specified in the redirect_uri parameter.

The callback URL receives an authorization code in the query string, in the code parameter. It must be exchanged with an access token by making a POST request to https://web.mention.net/oauth/v2/token with the following parameters:

Attribute Definition Example
client_id Must be the same client_id than during the first step 3_QIP8WdbQkSiiCmrhLRwE7GzPKk1U7eAu
client_secret Can be found next to the client_id x33qytemQZPhmhV62aaToIJIwUcqC2P1k
redirect_uri OAuth2 requires this to be the same than during the first step http://example.com
response_type Must be token token
code The authorization code received by the callback dcf633ef1b86041e24970a06abd54ab7
grant_type Must be authorization_code authorization_code

The request should be done using a POST method, with parameters in application/x-www-form-urlencoded format. GET is also allowed, but discouraged.

The result is a JSON document containing the access token:

{
    "access_token": "a1d0c6e83f027327d8461063f4ac58a6",
    "token_type": "bearer",
}