OAuth2 API

The OAuth2 applications API is currently experimental, and may break without notice.

ContentDB allows you to create an OAuth2 Application and obtain access tokens for users.

Scopes

OAuth2 applications can currently only access public user data, using the whoami API.

Create an OAuth2 Client

Go to Settings > OAuth2 Applications > Create

Obtaining access tokens

ContentDB supports the Authorization Code OAuth2 method.

Authorize

Get the user to open the following URL in a web browser:

https://content.luanti.org/oauth/authorize/
    ?response_type=code
    &client_id={CLIENT_ID}
    &redirect_uri={REDIRECT_URL}

The redirect_url must much the value set in your oauth client. Make sure to URL encode it. ContentDB also supports state.

Afterwards, the user will be redirected to your callback URL. If the user accepts the authorization, you'll receive an authorization code (code). Otherwise, the redirect_url will not be modified.

For example, with REDIRECT_URL set as https://example.com/callback/:

  • If the user accepts: https://example.com/callback/?code=abcdef
  • If the user cancels: https://example.com/callback/

Exchange auth code for access token

Next, you'll need to exchange the auth for an access token.

Do this by making a POST request to the /oauth/token/ API:

curl -X POST https://content.luanti.org/oauth/token/ \
    -F grant_type=authorization_code \
    -F client_id="CLIENT_ID" \
    -F client_secret="CLIENT_SECRET" \
    -F code="abcdef"

You should make this request on a server to prevent the user from getting access to your client secret.

If successful, you'll receive:

{
    "success": true,
    "access_token": "access_token",
    "token_type": "Bearer"
}

If there's an error, you'll receive a standard API error message:

{
    "success": false,
    "error": "The error message"
}

Possible errors:

  • Unsupported grant_type, only authorization_code is supported
  • Missing client_id
  • Missing client_secret
  • Missing code
  • client_id and/or client_secret is incorrect
  • Incorrect code. It may have already been redeemed

Check access token

Next, you should check the access token works by getting the user information:

curl https://content.luanti.org/api/whoami/ \
    -H "Authorization: Bearer YOURTOKEN"