Skip to main content

Overview

OAuth2 allows your application to securely access user data on behalf of the user.

Prerequisites

  • Obtain your client_id and client_secret from the partner portal.
  • Configure a Redirect URI in the portal — this is where users are sent after authorizing your app.

Authentication Flow

1. Redirect the user to the authorization server

Send users to the authorization endpoint where they can log in and approve access. GET https://auth.calendbook.com/login
ParameterDescription
client_idThe client ID of your application (from Partner Portal).
response_typeMust be set to code (Authorization Code flow).
scopeSpace-delimited list of requested scopes, e.g. openid+email+phone.
redirect_uriThe URI where the user will be redirected after consent.
stateAn internal statefW to maintain state between request and callback (CSRF token).
The user logs in (if not already) and approves the requested scopes.

3. Receive authorization code

After approval, the user is redirected back to your configured redirect_uri with a short-lived authorization_code.

4. Exchange authorization code for access token

Make a POST request to the token endpoint: https://auth.calendbook.com/oauth2/token
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body (x-www-form-urlencoded): 
{
   "grant_type": "authorization_code",
   "client_id": "<partner-client-id>",
   "code": code,
   "client_secret": "<partner-secret>",
   "redirect_uri": "<partner-redirect-url>"
}
  • Response Body:
    • access_token
    • refresh_token

5. Call the API

  • Use the access_token in the Authorization header

6. Refresh token

When the access_token expires, request a new one with the refresh_token: 
{
   "grant_type": "refresh_token",
   "client_id": "<partner-client-id>",
   "refresh_token": "<refresh-token>",
   "client_secret": "<partner-secret>",
 }
Response includes a new access_token