Example: OpenID+OAuth 2 Hybrid Flow

For most of our examples, the first step is Step 1: Authentication. This example explains that initial step detail.

  1. Obtaining User Authorization
  2. Token Exchange
  3. Requesting Data
  4. Refreshing Expired Sessions

Step 1: Obtaining User Authorization

The User Authorization step is, for many developers, the most confusing step in the Hybrid auth flow, as it involves the third party user and our endpoint rather than a direct request from an API client (or curl) to Spark API.

In the example URI below, fill in your personal credentials for the following parameters:

  • openid.spark.client_id: The API key credentials for your application.
  • openid.return_to: The redirect URI for your API key.

This is the URI your end users will be directed to in their web browser to authorize your application to access their data.

Once directed to our endpoint, the user will be prompted to:

  1. Log in.
  2. Allow (or Deny) your application access to their data.

Step 2: Token Exchange

After the end user allows your application access to their data, they will be redirected to the location specified by your redirect URI. Extracting the value from the openid.spark.code parameter will supply us with the code we need to complete the Token Exchange and obtain an access token.


Using this code along with your credentials, we can finally jump to the command line and make the following curl request (modified with your credentials and the code above, of course).

$ curl "https://sparkapi.com/v1/oauth2/grant" -H "X-SparkApi-User-Agent: SparkAPIExamples" -H "Authorization: OAuth MY_OAUTH2_ACCESS_TOKEN" {"X-Frame-Options"=>"SAMEORIGIN", "X-XSS-Protection"=>"1; mode=block", "X-Content-Type-Options"=>"nosniff"} -H 'Content-Type: application/json' -X POST --data '{"client_id": "[client_id]","client_secret":  "[client_secret]","grant_type": "authorization_code","code": "[code]", "redirect_uri": "[redirect_uri]"}'
  "access_token": "[access_token]",
  "refresh_token": "[refresh_token]",
  "expires_in":  86400

Step 3: Requesting Data

Most of our other example pages exercise this step. To try an authenticated request against the API with your access_token from the previous step, try out Step 4: Retrieving list item values for the City field from our Displaying Standard Field Labels examples.

Step 4: Refreshing Expired Sessions

Most applications prefer not to make end users log in again once their access token expires, and the Refresh Token action provides such a solution.

There are only two differences between the Token Exchange and the Token Refresh steps:

  1. The grant_type attribute in the POST body is set to "refresh_token", instead of "code".
  2. The code attribute is replaced with the refresh_token attribute, and takes the refresh_token value from the Token Exchange.

$ curl "https://sparkapi.com/v1/oauth2/grant" -H "X-SparkApi-User-Agent: SparkAPIExamples" -H "Authorization: OAuth MY_OAUTH2_ACCESS_TOKEN" {"X-Frame-Options"=>"SAMEORIGIN", "X-XSS-Protection"=>"1; mode=block", "X-Content-Type-Options"=>"nosniff"} -H 'Content-Type: application/json' -X POST --data '{"client_id": "[client_id]","client_secret":  "[client_secret]","grant_type": "refresh_token","refresh_token": "[refresh_token]", "redirect_uri": "[redirect_uri]"}'
  "access_token": "[access_token]",
  "refresh_token": "[refresh_token]",
  "expires_in":  86400