Authorization in third party apps
The /account/authorize endpoint in OAuth2 is used to initiate the authorization process, allowing users to grant third-party applications access to their resources securely.
How /account/authorize works
/account/authorize works- The client (your app) redirects the user to the
/account/authorize/endpoint with specific query parameters. - The user logs in (if not already) and consents to the requested access.
- The authorization server redirects the user back to the client with an access token.
Example Authorization Url
https://lzt.market/account/authorize?client_id=5ggftt92ww&response_type=token&scope=read%20post
https://lolz.live/account/authorize?client_id=5ggftt92ww&response_type=code&scope=read+post&redirect_uri=https://lolzteam.readme.io/reference/oauth2
Query Parameters
| Parameter | Description |
|---|---|
response_type | Determines the type of response expected. Can be token and code. |
client_id | The unique identifier for your application. |
redirect_uri | The URL where the user will be redirected after authorization. |
scope | A space-separated list of requested permissions (basic, read, post, conversate, market, payment, invoice). |
state | A random string to prevent CSRF attacks and track the client session. |
Server Responses
Successful Authorization
If the user approves, they are redirected to the redirect_uri with a token or code:
https://example.url/callback#client_id=client_id&user_id=0&expire_date=0&scope=post+read&issue_date=0&hidden_token=0&token_id=0&access_token=jwt_token&state=| Parameter | Description |
|---|---|
client_id | The unique identifier for your application |
user_id | User ID. |
expire_date | Token expiration date. (Currently it's 6 months since token was issued) |
scope | Permissions granted by the user. |
issue_date | Date and time the token was issued. |
hidden_token | A token not exposed directly to the client. |
token_id | Unique ID for the token. |
access_token | User token. |
state | The same value sent in the request, used to validate the response. |
https://example.url/callback?code=1234567890abcdef1234567890abcdef12345678&state=#| Parameter | Description |
|---|---|
code | Authorization code. |
state | The same value sent in the request, used to validate the response. |
Error Response
If the user denies access or an error occurs:
https://example.url/callback?error=invalid_request&error_description=Invalid+or+missing+response+type&state=| Error name | Description |
|---|---|
invalid_request | Malformed request. |
Authentication
Login/Password
To obtain an access token using username and password:
POST /oauth/token HTTP/1.1
Host: prod-api.lolz.live
Content-Type: application/json
{
"grant_type": "password",
"username": "your_username",
"password": "your_password",
"client_id": "your_client_id",
"client_secret": "your_client_secret",
"scope": "basic read post"
}Request Parameters
| Parameter | Description |
|---|---|
| grant_type | Must be set to password. |
| username | Your username/email. |
| password | Your password. |
| client_id | Client ID. |
| client_secret | Client secret. |
| scope | Token scopes. |
Response Example
{
"client_id": "abcdefghhi",
"user_id": 123456789,
"expire_date": 1751328000,
"scope": "basic read post",
"issue_date": 1735689600,
"hidden_token": 0,
"token_id": 123456,
"access_token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"refresh_token": "01234567890abcdef01234567890abcdef012345",
"refresh_token_expires_in": 15552000
}Authorization Code
To obtain an access token using authorization code:
POST /oauth/token HTTP/1.1
Host: prod-api.lolz.live
Content-Type: application/json
{
"grant_type": "authorization_code",
"code": "01234567890abcdef01234567890abcdef012345",
"client_id": "your_client_id",
"client_secret": "your_client_secret",
"scope": "basic read post"
}Request Parameters
| Parameter | Description |
|---|---|
| grant_type | Must be set to authorization_code. |
| code | Authorization code. |
| client_id | Client ID. |
| client_secret | Client secret. |
| scope | Token scopes. (Optional. Will use same scopes as in authorization url) |
| redirect_uri | Redirect url that was used in authorization url. |
Response Example
{
"client_id": "abcdefghhi",
"user_id": 123456789,
"expire_date": 1751328000,
"scope": "basic read post",
"issue_date": 1735689600,
"hidden_token": 0,
"token_id": 123456,
"access_token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"refresh_token": "01234567890abcdef01234567890abcdef012345",
"refresh_token_expires_in": 15552000
}Client Credentials
To obtain an access token using client credentials:
POST /oauth/token HTTP/1.1
Host: prod-api.lolz.live
Content-Type: application/json
{
"grant_type": "client_credentials",
"client_id": "your_client_id",
"client_secret": "your_client_secret",
"scope": "basic read post"
}Request Parameters
| Parameter | Description |
|---|---|
| grant_type | Must be set to client\_credentials. |
| client_id | Client ID. |
| client_secret | Client secret. |
| scope | Token scopes. |
Response Example
{
"client_id": "abcdefghhi",
"user_id": 123456789,
"expire_date": 1751328000,
"scope": "basic read post",
"issue_date": 1735689600,
"hidden_token": 0,
"token_id": 123456,
"access_token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}Token Refresh
Access tokens expire after a certain period. When a token expires, you can refresh it without requiring the user to log in again.
Refresh Token Request
POST /oauth/token HTTP/1.1
Host: prod-api.lolz.live
Content-Type: application/json
{
"grant_type": "refresh_token",
"refresh_token": "your_refresh_token",
"client_id": "your_client_id",
"client_secret": "your_client_secret"
}Request Parameters
| Parameter | Description |
|---|---|
| grant_type | Must be set to refresh\_token. |
| refresh_token | The refresh token received during initial authentication. |
| client_id | Client ID. |
| client_secret | Client secret. |
Response Example
{
"client_id": "abcdefghhi",
"user_id": 123456789,
"expire_date": 1751328000,
"scope": "basic read post",
"issue_date": 1735689600,
"hidden_token": 0,
"token_id": 123456,
"access_token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"refresh_token": "01234567890abcdef01234567890abcdef012345",
"refresh_token_expires_in": 15552000
}