Next: Device Flow, Up: Authorize an OAuth App [Index]
The web application flow to authorize users for your app is:
GET https://github.com/login/oauth/authorize
When your GitHub App specifies a ‘login’ parameter, it prompts users with a specific account they can use for signing in and authorizing your app.
(string) Required The client ID you received from GitHub when you registered.
(string) The URL in your application where users will be sent after authorization.
(string) Suggests a specific account to use for signing in and authorizing the app.
(string) A space-delimited list of scopes. If not provided, scope defaults to an empty list for users that have not authorized any scopes for the application.
(string) An unguessable random string. It is used to protect against cross-site request forgery attacks.
(string) Whether or not unauthenticated users will be offered an option to sign up for GitHub during the OAuth flow. The default is ‘true’.
If the user accepts your request, GitHub redirects back to your site with a temporary code in a code parameter as well as the state you provided in the previous step in a state parameter. The temporary code will expire after 10 minutes. If the states don’t match, then a third party created the request, and you should abort the process.
Exchange this code for an access token:
POST https://github.com/login/oauth/access_token
(string) Required The client ID you received from GitHub for your GitHub App.
(string) Required The client secret you received from GitHub for your GitHub App.
(string) Required The code you received as a response to Step 1.
(string) The URL in your application where users are sent after authorization.
(string) The unguessable random string you provided in Step 1.
By default, the response takes the following form:
access_token=e72e16c7e42f292c6912e7710c838347ae178b4a&token_type=bearer
You can also receive the content in different formats depending on the ‘Accept’ header:
Accept: application/json {"access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a", "scope":"repo,gist", "token_type":"bearer"} Accept: application/xml <OAuth> <token_type>bearer</token_type> <scope>repo,gist</scope> <access_token>e72e16c7e42f292c6912e7710c838347ae178b4a</access_token> </OAuth>
The access token allows you to make requests to the API on a behalf of a user.
Authorization: token OAUTH-TOKEN GET https://api.github.com/user
For example, in curl you can set the Authorization header like this:
curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com/user
Next: Device Flow, Up: Authorize an OAuth App [Index]