~netlandish/links-wiki

73a3083c50654168e5bc87220cd0431ff9e135fb — Peter Sanchez a month ago 3bf7418 master
Rearranging a few paragraphs to a more correct section
1 files changed, 19 insertions(+), 19 deletions(-)

M oauth.md
M oauth.md => oauth.md +19 -19
@@ 93,7 93,7 @@ interpret them; they are passed verbatim to our OAuth 2.0 endpoints.
The authorization endpoint (see [section 4.1.1][RFC 6749:4.1.1]) is
`https://linktaco.com/oauth2/authorize`. Note that LinkTaco differs from the
specification in that it REQUIRES the scope parameter to be provided; per
[section 3.3][RFC 6749:3.3] meta.sr.ht interprets the absence of the scope
[section 3.3][RFC 6749:3.3] LinkTaco interprets the absence of the scope
parameter as an invalid scope and will cause the request to fail.

### The OAuth 2.0 consent page


@@ 276,22 276,7 @@ The `expires` date is in Unix epoch format.
You can now use this token for [Authenticating API
requests](#authenticating-api-requests).

# Authenticating API requests

Authenticating your API request is simple once you have an access token. You
just need to set the `Authorization` header to `Bearer your-access-token`. For
example:

```sh
oauth_token=your oauth token
curl \
  --oauth2-bearer "$oauth_token" \
  -H 'Content-Type: application/json' \
  -d '{"query": "{ version { major, minor, patch } }"}' \
  https://api.linktaco.com/query
```

## Refreshing access tokens
### Refreshing access tokens

You can refresh an access token programmatically to avoid service disruptions.
To refresh a token simply follow the same steps in "Obtaining an access token"


@@ 304,19 289,34 @@ Upon a successful refresh you will receive the same response json as when
obtaining a new token. You should then update your own database with the new
access token, refresh token, and expiration date.

## Rotating your client secret
### Rotating your client secret

On the security tab of your OAuth 2.0 client's dashboard (which can be accessed
from the [OAuth clients page][oauth clients]), you can rotate your client
secret, in the event that it is compromised.

## Revoking access tokens
### Revoking access tokens

On the security tab of your OAuth 2.0 client's dashboard (which can be accessed
from the [OAuth clients page][oauth clients]), you can revoke all issued access
tokens at once, in the event some or all of them are compromised. Users will
have to repeat the authorization flow.

# Authenticating API requests

Authenticating your API request is simple once you have an access token. You
just need to set the `Authorization` header to `Bearer your-access-token`. For
example:

```sh
oauth_token=your oauth token
curl \
  --oauth2-bearer "$oauth_token" \
  -H 'Content-Type: application/json' \
  -d '{"query": "{ version { major, minor, patch } }"}' \
  https://api.linktaco.com/query
```

# Documentation Attribution

Our GraphQL setup is heavily based on the [SourceHut][srht] GraphQL services.

Do not follow this link