4.9 KiB
4.9 KiB
OAuth details
We use the Doorkeeper gem for OAuth, so you can refer to their docs on specifics of the end-points.
The API is divided up into access scopes:
- write
- write:accounts
PUT /api/v1/accounts/verify_credentialsPOST /api/v1/statuses/:id/pinPOST /api/v1/statuses/:id/unpin
- write:blocks
POST /api/v1/accounts/:id/blockPOST /api/v1/accounts/:id/unblockPOST|DELETE /api/v1/domain_blocks
- write:favourites
POST /api/v1/statuses/:id/favouritePOST /api/v1/statuses/:id/unfavourite
- write:filters
POST /api/v1/filtersPUT|DELETE /api/v1/filters/:id
- write:follows
POST /api/v1/accounts/:id/followPOST /api/v1/accounts/:id/unfollowPOST /api/v1/followsPOST /api/v1/follow_requests/:id/authorizePOST /api/v1/follow_requests/:id/reject
- write:lists
POST|DELETE /api/v1/lists/:id/accountsPOST /api/v1/listsPUT|DELETE /api/v1/lists/:id
- write:media
POST /api/v1/mediaPUT /api/v1/media/:id
- write:mutes
POST /api/v1/statuses/:id/mutePOST /api/v1/statuses/:id/unmutePOST /api/v1/accounts/:id/mutePOST /api/v1/accounts/:id/unmute
- write:notifications
POST /api/v1/notifications/clearPOST /api/v1/notifications/:id/dismiss
- write:reports
POST /api/v1/reports
- write:statuses
POST /api/v1/statuses/:id/reblogPOST /api/v1/statuses/:id/unreblogPOST /api/v1/statusesDELETE /api/v1/statuses/:id
- write:accounts
- read
- read:accounts
GET /api/v1/accounts/verify_credentialsGET /api/v1/accounts/:id/followersGET /api/v1/accounts/:id/followingGET /api/v1/accounts/searchGET /api/v1/statuses/:id/favourited_byGET /api/v1/statuses/:id/reblogged_byGET /api/v1/accounts/:id
- read:blocks
GET /api/v1/blocksGET /api/v1/domain_blocks
- read:favourites
GET /api/v1/favourites
- read:filters
GET /api/v1/filtersGET /api/v1/filters/:id
- read:follows
GET /api/v1/accounts/relationshipsGET /api/v1/follow_requests
- read:lists
GET /api/v1/accounts/:id/listsGET /api/v1/lists/:id/accountsGET /api/v1/listsGET /api/v1/lists/:id
- read:mutes
GET /api/v1/mutes
- read:notifications
GET /api/v1/notificationsGET /api/v1/notifications/:id
- read:reports
GET /api/v1/reports
- read:search
GET /api/v1/searchGET /api/v2/search
- read:statuses
GET /api/v1/accounts/:id/statusesGET /api/v1/timelines/directGET /api/v1/timelines/homeGET /api/v1/timelines/list/:idGET /api/v1/statuses/:idGET /api/v1/statuses/:id/contextGET /api/v1/statuses/:id/card
- read:accounts
- follow (legacy)
- read:blocks
- read:follows
- read:mutes
- write:blocks
- write:follows
- write:mutes
- push
Multiple scopes can be requested during the authorization phase with the scope query param (space-separate the scopes). If you do not specify a scope in your authorization request, the resulting access token will default to read access.
You need an access token. To get one, use the following workflow:
- Get
client_idandclient_secretfrom your local cache. If you don't have the two, you need to register the application. Storeclient_idandclient_secretin your local cache for next time. We actually don't need theidreturned from this call. - Tell the user to visit
/oauth/authorizewith parametersscope=read write follow(URL encode the space to%20, of course),response_type=code,redirect_uri=urn:ietf:wg:oauth:2.0:oob(assuming you don't want to redirect your users elsewhere),client_id=<client_id>. The user clicks on the URL and gets shown a page asking them to authorize your app for reading, writing, and following (assuming this is the scope you requested, feel free to request less). If the user clicks on the right button, they get back a code. Store this code as yourauthorization_code. - Send a POST request to
/oauth/tokenwith the parametersclient_id=<client_id>,client_secret=<client_secret>,grant_type=authorization_code,code=<authorization_code>,redirect_uri=urn:ietf:wg:oauth:2.0:oob. Save theaccess_tokenyou get back in your local cache. Note that an authorization code can only be used once. If it has been used already, you need to repeat step #2 to get a new one.
Once you have the access token, add the HTTP header Authorization: Bearer <access_token> to any API call. If you want to check access token validity, one simple way to do it is getting the current user.