OAuth 2
OAuth 2 is an open standard for authorization that enables third-party applications to obtain limited access to MyLogin user accounts, by delegating user authentication to MyLogin.
Developers must register their application to use OAuth. A registered application is assigned a client_id and you
can create many client secrets. Client secrets should be kept confidential, and only used between the application and
the MyLogin authorization server https://app.mylogin.com.
Flow
The MyLogin API uses the Authorization Code grant type.
An access_token is required to access our endpoints.
- The user is redirected to /oauth/authorize from your app with your identifiers documented below.
- The user logs in using their emoji password, magic badge, or username and password.
- The user is redirected to the callback URL provided by you in the initial request with an authorization token.
- The
authorization_tokenis exchanged for anaccess_tokenvia the HTTP POST method to /oauth/token.
GET /oauth/authorize
Redirect your users here with these URL parameters. They will be redirected to your redirect_uri after they have
logged in.
URL parameters
| Name | Type | Required | Description |
|---|---|---|---|
client_id |
string |
Required |
The |
redirect_uri |
string |
Required |
Must match a callback URL managed in the credentials area in the developer portal. The callback URL where users will be sent after authorization. |
response_type |
string |
Required |
Must be set to “code” to request an |
organisation |
string |
Optional |
The slug or encoded ID of the organisation you'd like to authenticate for. |
Response
The user is redirected back to your redirect_uri with the URL parameter
?code=<authorization_code> valid for ten minutes.
Example
curl https://app.mylogin.com/oauth/authorize?client_id=9a3e15b1-4065-3382-8b47-79496eaca039 &redirect_uri=https://myapp.example/callback &response_type=code
POST /oauth/token
Used for exchanging an authorization_code for an access_token.
Authorization
Basic authentication is a simple authentication scheme built into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains the word "Basic" followed by a space and then a base64-encoded string consisting of your apps' client_id and client_secret separated by a colon (":")
| Name | Description |
|---|---|
client_id |
The |
client_secret |
A secret created in your apps' credentials area in the developer portal |
For example, to authorize the client_id and client_secret combination of "1234567890" and "super-secret" ("1234567890:super-secret") the client would send
Authorization: Basic MTIzNDU2Nzg5MDpzdXBlci1zZWNyZXQ=
URL parameters
| Name | Type | Required | Description |
|---|---|---|---|
grant_type |
string |
Required |
|
code |
string |
Required if |
The |
redirect_uri |
string |
Required |
This must be the same |
Response
Body
| Name | Type | Description |
|---|---|---|
token_type |
string |
Always |
access_token |
string |
The token to used to access MyLogin's API endpoints. Valid for 24 hours. |
Example
Exchanging the authorization_token for the first access_token
curl https://app.mylogin.com/oauth/token?grant_type=authorization_code
&code=abcdef123456
&redirect_uri=https://yourapp.example/callback
-H "Authorization: Basic MTIzNDU2Nzg5MDpzdXBlci1zZWNyZXQ="
GET /oauth/logout
Redirect your users here with this URL parameter to log them out of MyLogin.
URL parameters
| Name | Type | Required | Description |
|---|---|---|---|
client_id |
string |
Required |
The |
Response
The user is redirected back to your logout_url.
Example
curl https://app.mylogin.com/oauth/logout?client_id=9a3e15b1-4065-3382-8b47-79496eaca039