documentation/content/en/spec/oauth.md

---
title: OAuth
description: An open standard for token-based authentication and authorization on the Internet
menu:
  docs:
    weight: 50
    parent: spec
---

## What is OAuth? {#intro}

The Mastodon API has many methods that require authentication from a client or authorization from a user. This is accomplished with OAuth 2.0, an authorization framework described in [RFC 6749](https://tools.ietf.org/html/rfc6749) that allows third-party applications to obtain limited access to an HTTP service on behalf of a resource owner, through the use of a standardized authorization flow that generates a client access token to be used with HTTP requests.

Mastodon supports the following OAuth 2 flows:

* **Authorization code flow**: For end-users
* **Password grant flow**: For bots and other single-user applications
* **Client credentials flow**: For applications that do not act on behalf of users

To obtain an OAuth token for a Mastodon website, make sure that you allow your users to specify the domain they want to connect to before login. Use that domain to [acquire a client id/secret]({{< relref "../methods/apps/#create-an-application" >}}) and then [proceed with normal OAuth 2]({{< relref "../methods/apps/oauth.md" >}}).

## OAuth 2 endpoints implemented {#implementation}

The following descriptions are taken from the [Doorkeeper documentation](https://github.com/doorkeeper-gem/doorkeeper/wiki/API-endpoint-descriptions-and-examples). Mastodon uses Doorkeeper to implement OAuth 2. For more information on how to use these endpoints, see the [API documentation for OAuth.]({{< relref "../methods/apps/oauth.md" >}})

{{< caption-link url="https://github.com/tootsuite/mastodon/blob/master/config/initializers/doorkeeper.rb" caption="Doorkeeper config initializer" >}}

### [GET /oauth/authorize]({{< relref "../methods/apps/oauth.md#authorize-a-user" >}})

Displays an authorization form to the user. If approved, it will create and return an authorization code, then redirect to the desired `redirect_uri`, or show the authorization code if `urn:ietf:wg:oauth:2.0:oob` was requested.

### [POST /oauth/token]({{< relref "../methods/apps/oauth.md#obtain-a-token" >}}) {#post-oauth-token}

Obtain an access token. This corresponds to the token endpoint, section 3.2 of the OAuth 2 RFC.

### [POST /oauth/revoke]({{< relref "../methods/apps/oauth.md#revoke-token" >}}) {#post-oauth-revoke}

Post here with client credentials to revoke an access token. This corresponds to the token endpoint, using the OAuth 2.0 Token Revocation RFC \(RFC 7009\).

## Common gotchas {#gotchas}

* When registering an application using Mastodon's REST API, there is a `scopes` parameter. When interfacing with OAuth endpoints, you must use the `scope` parameter instead, and this parameter's value must be a subset of the `scopes` registered with the app. You cannot include anything that wasn't in the original set.
* When registering an application using Mastodon's REST API, there is a `redirect_uris` parameter. When interfacing with OAuth endpoints, you must use the `redirect_uri` parameter instead, and this parameter's value must be one of the `redirect_uris` registered with the app.
Update documentation with contents by twrnh 2020-01-01 22:37:59 +01:00			`---`
			`title: OAuth`
Update anchors, line breaks, tootctl options (#745) * update anchors * remove extraneous anchors * fix line breaks * wrap tootctl tokens in code blocks * change anchors to hugo format * fix mistaken search-and-replace * fix mistaken search-and-replace 2020-01-12 14:11:56 +01:00			`description: An open standard for token-based authentication and authorization on the Internet`
Update documentation with contents by twrnh 2020-01-01 22:37:59 +01:00			`menu:`
			`docs:`
			`weight: 50`
			`parent: spec`
			`---`

Update anchors, line breaks, tootctl options (#745) * update anchors * remove extraneous anchors * fix line breaks * wrap tootctl tokens in code blocks * change anchors to hugo format * fix mistaken search-and-replace * fix mistaken search-and-replace 2020-01-12 14:11:56 +01:00			`## What is OAuth? {#intro}`
Update documentation with contents by twrnh 2020-01-01 22:37:59 +01:00
			`The Mastodon API has many methods that require authentication from a client or authorization from a user. This is accomplished with OAuth 2.0, an authorization framework described in [RFC 6749](https://tools.ietf.org/html/rfc6749) that allows third-party applications to obtain limited access to an HTTP service on behalf of a resource owner, through the use of a standardized authorization flow that generates a client access token to be used with HTTP requests.`

			`Mastodon supports the following OAuth 2 flows:`

			`* Authorization code flow: For end-users`
			`* Password grant flow: For bots and other single-user applications`
			`* Client credentials flow: For applications that do not act on behalf of users`

Replace and fix broken links with hugos relref (#801) As discussed in #764 there are quite a lot of outdated links in the mastodon documentation. In basically all cases this was resolved by simply wrapping the old plain markdown link in hugos `relref` function[^0]. While quite a lot of links on the `/zh-cn/` also appear to be broken, these can not be fixed by just wrapping them in `relref`[^0]. Those are all links to `/spec/` subpages which are just not translated to `/zh-cn/` version. Therefore, `/zh-cn/spec/` has been excluded from the automated checking as described in the next section. The page has been checked using the linkchecker[^1] utility. One process is running `hugo serve` in order to see all changes in real time and notice errors directly in your browser. In a separate command prompt the command `linkchecker http://localhost:1313 --ignore-url=/zh-cn/spec` is being fired up. Note the `--ignore-url=/zh-cn/spe` to exclude the just not existing parts of the page as mentioned in the previous paragraph. There still is some ToDo on the table since quite a lot of the anchors appear to not be set or at least differ from previous versions. One example: on `/client/authorized/` is a link to `/client/token/#creating-our-application` while the id of referenced heading is `app`. These changes do not fix those Issues as it would require way more time. [^0]: https://gohugo.io/functions/relref/ [^1]: https://github.com/linkchecker/linkchecker Close #764 2020-08-10 23:01:50 +02:00			`To obtain an OAuth token for a Mastodon website, make sure that you allow your users to specify the domain they want to connect to before login. Use that domain to [acquire a client id/secret]({{< relref "../methods/apps/#create-an-application" >}}) and then [proceed with normal OAuth 2]({{< relref "../methods/apps/oauth.md" >}}).`
Update documentation with contents by twrnh 2020-01-01 22:37:59 +01:00
Update anchors, line breaks, tootctl options (#745) * update anchors * remove extraneous anchors * fix line breaks * wrap tootctl tokens in code blocks * change anchors to hugo format * fix mistaken search-and-replace * fix mistaken search-and-replace 2020-01-12 14:11:56 +01:00			`## OAuth 2 endpoints implemented {#implementation}`
Update documentation with contents by twrnh 2020-01-01 22:37:59 +01:00
			`The following descriptions are taken from the [Doorkeeper documentation](https://github.com/doorkeeper-gem/doorkeeper/wiki/API-endpoint-descriptions-and-examples). Mastodon uses Doorkeeper to implement OAuth 2. For more information on how to use these endpoints, see the [API documentation for OAuth.]({{< relref "../methods/apps/oauth.md" >}})`

			`{{< caption-link url="https://github.com/tootsuite/mastodon/blob/master/config/initializers/doorkeeper.rb" caption="Doorkeeper config initializer" >}}`

Replace and fix broken links with hugos relref (#801) As discussed in #764 there are quite a lot of outdated links in the mastodon documentation. In basically all cases this was resolved by simply wrapping the old plain markdown link in hugos `relref` function[^0]. While quite a lot of links on the `/zh-cn/` also appear to be broken, these can not be fixed by just wrapping them in `relref`[^0]. Those are all links to `/spec/` subpages which are just not translated to `/zh-cn/` version. Therefore, `/zh-cn/spec/` has been excluded from the automated checking as described in the next section. The page has been checked using the linkchecker[^1] utility. One process is running `hugo serve` in order to see all changes in real time and notice errors directly in your browser. In a separate command prompt the command `linkchecker http://localhost:1313 --ignore-url=/zh-cn/spec` is being fired up. Note the `--ignore-url=/zh-cn/spe` to exclude the just not existing parts of the page as mentioned in the previous paragraph. There still is some ToDo on the table since quite a lot of the anchors appear to not be set or at least differ from previous versions. One example: on `/client/authorized/` is a link to `/client/token/#creating-our-application` while the id of referenced heading is `app`. These changes do not fix those Issues as it would require way more time. [^0]: https://gohugo.io/functions/relref/ [^1]: https://github.com/linkchecker/linkchecker Close #764 2020-08-10 23:01:50 +02:00			`### [GET /oauth/authorize]({{< relref "../methods/apps/oauth.md#authorize-a-user" >}})`
Update documentation with contents by twrnh 2020-01-01 22:37:59 +01:00
			Displays an authorization form to the user. If approved, it will create and return an authorization code, then redirect to the desired `redirect_uri`, or show the authorization code if `urn:ietf:wg:oauth:2.0:oob` was requested.

Replace and fix broken links with hugos relref (#801) As discussed in #764 there are quite a lot of outdated links in the mastodon documentation. In basically all cases this was resolved by simply wrapping the old plain markdown link in hugos `relref` function[^0]. While quite a lot of links on the `/zh-cn/` also appear to be broken, these can not be fixed by just wrapping them in `relref`[^0]. Those are all links to `/spec/` subpages which are just not translated to `/zh-cn/` version. Therefore, `/zh-cn/spec/` has been excluded from the automated checking as described in the next section. The page has been checked using the linkchecker[^1] utility. One process is running `hugo serve` in order to see all changes in real time and notice errors directly in your browser. In a separate command prompt the command `linkchecker http://localhost:1313 --ignore-url=/zh-cn/spec` is being fired up. Note the `--ignore-url=/zh-cn/spe` to exclude the just not existing parts of the page as mentioned in the previous paragraph. There still is some ToDo on the table since quite a lot of the anchors appear to not be set or at least differ from previous versions. One example: on `/client/authorized/` is a link to `/client/token/#creating-our-application` while the id of referenced heading is `app`. These changes do not fix those Issues as it would require way more time. [^0]: https://gohugo.io/functions/relref/ [^1]: https://github.com/linkchecker/linkchecker Close #764 2020-08-10 23:01:50 +02:00			`### [POST /oauth/token]({{< relref "../methods/apps/oauth.md#obtain-a-token" >}}) {#post-oauth-token}`
Update documentation with contents by twrnh 2020-01-01 22:37:59 +01:00
			`Obtain an access token. This corresponds to the token endpoint, section 3.2 of the OAuth 2 RFC.`

Replace and fix broken links with hugos relref (#801) As discussed in #764 there are quite a lot of outdated links in the mastodon documentation. In basically all cases this was resolved by simply wrapping the old plain markdown link in hugos `relref` function[^0]. While quite a lot of links on the `/zh-cn/` also appear to be broken, these can not be fixed by just wrapping them in `relref`[^0]. Those are all links to `/spec/` subpages which are just not translated to `/zh-cn/` version. Therefore, `/zh-cn/spec/` has been excluded from the automated checking as described in the next section. The page has been checked using the linkchecker[^1] utility. One process is running `hugo serve` in order to see all changes in real time and notice errors directly in your browser. In a separate command prompt the command `linkchecker http://localhost:1313 --ignore-url=/zh-cn/spec` is being fired up. Note the `--ignore-url=/zh-cn/spe` to exclude the just not existing parts of the page as mentioned in the previous paragraph. There still is some ToDo on the table since quite a lot of the anchors appear to not be set or at least differ from previous versions. One example: on `/client/authorized/` is a link to `/client/token/#creating-our-application` while the id of referenced heading is `app`. These changes do not fix those Issues as it would require way more time. [^0]: https://gohugo.io/functions/relref/ [^1]: https://github.com/linkchecker/linkchecker Close #764 2020-08-10 23:01:50 +02:00			`### [POST /oauth/revoke]({{< relref "../methods/apps/oauth.md#revoke-token" >}}) {#post-oauth-revoke}`
Update documentation with contents by twrnh 2020-01-01 22:37:59 +01:00
			`Post here with client credentials to revoke an access token. This corresponds to the token endpoint, using the OAuth 2.0 Token Revocation RFC \(RFC 7009\).`

Update anchors, line breaks, tootctl options (#745) * update anchors * remove extraneous anchors * fix line breaks * wrap tootctl tokens in code blocks * change anchors to hugo format * fix mistaken search-and-replace * fix mistaken search-and-replace 2020-01-12 14:11:56 +01:00			`## Common gotchas {#gotchas}`
Update documentation with contents by twrnh 2020-01-01 22:37:59 +01:00
			* When registering an application using Mastodon's REST API, there is a `scopes` parameter. When interfacing with OAuth endpoints, you must use the `scope` parameter instead, and this parameter's value must be a subset of the `scopes` registered with the app. You cannot include anything that wasn't in the original set.
			* When registering an application using Mastodon's REST API, there is a `redirect_uris` parameter. When interfacing with OAuth endpoints, you must use the `redirect_uri` parameter instead, and this parameter's value must be one of the `redirect_uris` registered with the app.