Skip to main content

Overview

Flextell uses OAuth 2.0 Authorization Code flow to authenticate API clients. The flow involves two steps:
  1. Redirect the user to the authorization endpoint to obtain an authorization code.
  2. Exchange the code for an access token using the token endpoint.
Use the resulting access token as a Bearer token in all subsequent API requests.

GET /oauth/authorize

Full URL: https://dev.flextell.ai/oauth/authorize Initiates the OAuth 2.0 Authorization Code flow. Redirect the user’s browser to this URL. After the user grants permission, Flextell redirects them back to your redirect_uri with an authorization code in the query string.

Query parameters

response_type
string
required
Must be "code".
client_id
string
required
Your application’s client ID, issued when you register your app.
redirect_uri
string
required
The URL Flextell redirects to after authorization. Must exactly match a URI registered for your application.
scope
string
Space-separated list of scopes your application is requesting. Omitting this field requests the default scopes for your client.
state
string
A random, unguessable string your application generates. Flextell returns this value unchanged in the redirect. Use it to verify the response and protect against CSRF attacks.
Including state is strongly recommended. Without it, your application is vulnerable to cross-site request forgery attacks.

Example redirect

https://dev.flextell.ai/oauth/authorize
  ?response_type=code
  &client_id=YOUR_CLIENT_ID
  &redirect_uri=https%3A%2F%2Fyourapp.com%2Fcallback
  &scope=read%20write
  &state=abc123xyz

POST /oauth/token

Full URL: https://dev.flextell.ai/oauth/token Exchanges an authorization code or refresh token for an access token. Send all parameters as application/x-www-form-urlencoded in the request body.

Request body

grant_type
string
required
The grant type to use. Must be "authorization_code" when exchanging a code, or "refresh_token" when refreshing an existing token.
code
string
The authorization code received in the redirect from /oauth/authorize. Required when grant_type is "authorization_code".
redirect_uri
string
The redirect URI used in the original authorization request. Must match exactly. Required when grant_type is "authorization_code".
client_id
string
required
Your application’s client ID.
client_secret
string
required
Your application’s client secret. Keep this value confidential and never expose it in client-side code.
refresh_token
string
The refresh token previously issued by this endpoint. Required when grant_type is "refresh_token".

Response fields

access_token
string
The Bearer token to include in the Authorization header of API requests.
token_type
string
Always "Bearer".
expires_in
integer
The lifetime of the access token in seconds. After this period, the token is no longer valid.
refresh_token
string
A token you can use to obtain a new access token when the current one expires, without requiring the user to re-authorize.

Examples

curl --request POST \
  --url https://dev.flextell.ai/oauth/token \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --data "grant_type=authorization_code" \
  --data "code=AUTH_CODE_FROM_REDIRECT" \
  --data "redirect_uri=https://yourapp.com/callback" \
  --data "client_id=YOUR_CLIENT_ID" \
  --data "client_secret=YOUR_CLIENT_SECRET"

Example response

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "def50200a1b2c3d4e5f6..."
}
Store your client_secret and refresh_token securely. Never include them in client-side JavaScript or commit them to source control.