@@ 93,7 93,7 @@ interpret them; they are passed verbatim to our OAuth 2.0 endpoints.
The authorization endpoint (see [section 4.1.1][RFC 6749:4.1.1]) is
`https://linktaco.com/oauth2/authorize`. Note that LinkTaco differs from the
specification in that it REQUIRES the scope parameter to be provided; per
-[section 3.3][RFC 6749:3.3] meta.sr.ht interprets the absence of the scope
+[section 3.3][RFC 6749:3.3] LinkTaco interprets the absence of the scope
parameter as an invalid scope and will cause the request to fail.
### The OAuth 2.0 consent page
@@ 276,22 276,7 @@ The `expires` date is in Unix epoch format.
You can now use this token for [Authenticating API
requests](#authenticating-api-requests).
-# Authenticating API requests
-
-Authenticating your API request is simple once you have an access token. You
-just need to set the `Authorization` header to `Bearer your-access-token`. For
-example:
-
-```sh
-oauth_token=your oauth token
-curl \
- --oauth2-bearer "$oauth_token" \
- -H 'Content-Type: application/json' \
- -d '{"query": "{ version { major, minor, patch } }"}' \
- https://api.linktaco.com/query
-```
-
-## Refreshing access tokens
+### Refreshing access tokens
You can refresh an access token programmatically to avoid service disruptions.
To refresh a token simply follow the same steps in "Obtaining an access token"
@@ 304,19 289,34 @@ Upon a successful refresh you will receive the same response json as when
obtaining a new token. You should then update your own database with the new
access token, refresh token, and expiration date.
-## Rotating your client secret
+### Rotating your client secret
On the security tab of your OAuth 2.0 client's dashboard (which can be accessed
from the [OAuth clients page][oauth clients]), you can rotate your client
secret, in the event that it is compromised.
-## Revoking access tokens
+### Revoking access tokens
On the security tab of your OAuth 2.0 client's dashboard (which can be accessed
from the [OAuth clients page][oauth clients]), you can revoke all issued access
tokens at once, in the event some or all of them are compromised. Users will
have to repeat the authorization flow.
+# Authenticating API requests
+
+Authenticating your API request is simple once you have an access token. You
+just need to set the `Authorization` header to `Bearer your-access-token`. For
+example:
+
+```sh
+oauth_token=your oauth token
+curl \
+ --oauth2-bearer "$oauth_token" \
+ -H 'Content-Type: application/json' \
+ -d '{"query": "{ version { major, minor, patch } }"}' \
+ https://api.linktaco.com/query
+```
+
# Documentation Attribution
Our GraphQL setup is heavily based on the [SourceHut][srht] GraphQL services.