OAuth 2.0 Integration

OAuth 2.0 AuthenticationSecure API Access

Implement secure OAuth 2.0 authentication to access Ademero APIs. Follow our comprehensive guide to integrate authorization flows, manage tokens, and build secure applications.

View API ReferenceQuick Start Guide

OAuth 2.0 Authorization Flow

Follow these steps to implement the OAuth 2.0 authorization code flow

1
Authorization Request
Redirect user to Ademero authorization endpoint
GET https://api.ademero.com/oauth/authorize?
  client_id=YOUR_CLIENT_ID&
  redirect_uri=YOUR_REDIRECT_URI&
  response_type=code&
  scope=read write&
  state=RANDOM_STATE
2
User Authorization
User grants permission to your application
// User sees authorization screen
// Approves or denies access
// Redirected back to your app
3
Authorization Code
Exchange authorization code for access token
POST https://api.ademero.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=AUTHORIZATION_CODE&
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET&
redirect_uri=YOUR_REDIRECT_URI
4
Access Token
Use access token to make API requests
GET https://api.ademero.com/documents
Authorization: Bearer YOUR_ACCESS_TOKEN

// Response includes user documents

OAuth Scopes

Request specific permissions based on your application needs

read
read
Read access to documents and folders
  • View documents
  • List folders
  • Search content
  • Download files
write
write
Write access to documents and folders
  • Create documents
  • Update metadata
  • Move files
  • Delete items
admin
admin
Administrative access
  • User management
  • Permission control
  • System settings
  • Audit access
workflow
workflow
Workflow management access
  • Create workflows
  • Manage approvals
  • View status
  • Update tasks

SDK Integration Examples

Get started quickly with our official OAuth SDKs

JavaScript SDK
// Install SDK
npm install @ademero/oauth-sdk

// Initialize OAuth client
import { AdemeroOAuth } from '@ademero/oauth-sdk';

const oauth = new AdemeroOAuth({
  clientId: process.env.ADEMERO_CLIENT_ID,
  clientSecret: process.env.ADEMERO_CLIENT_SECRET,
  redirectUri: 'https://your-app.com/callback'
});

// Generate authorization URL
const authUrl = oauth.getAuthorizationUrl({
  scope: ['read', 'write'],
  state: generateRandomState()
});

// Exchange code for token
const tokens = await oauth.exchangeCode(authorizationCode);

OAuth Best Practices

Follow these security best practices for OAuth implementation

Secure Storage
Never expose client secrets in client-side code
  • Store secrets in environment variables
  • Use server-side token exchange
  • Implement token encryption
  • Rotate secrets regularly
Token Management
Handle access and refresh tokens properly
  • Implement automatic token refresh
  • Store tokens securely
  • Handle token expiration
  • Revoke tokens on logout
Error Handling
Gracefully handle OAuth errors
  • Handle authorization denials
  • Implement retry logic
  • Log errors for debugging
  • Provide user feedback
Security Measures
Protect against common OAuth vulnerabilities
  • Validate state parameter
  • Use PKCE for public clients
  • Implement CSRF protection
  • Validate redirect URIs

Advanced OAuth Topics

Master advanced OAuth 2.0 concepts and implementation patterns

Refresh Token Rotation

Implement secure refresh token rotation to minimize the impact of token compromise. When users refresh their access tokens, the server issues a new refresh token and invalidates the previous one, preventing token reuse attacks.

Monitor refresh token rotation patterns to detect suspicious activity. If an old refresh token is used multiple times, it may indicate a compromised token. Always validate the integrity of tokens before accepting them.

Best for long-lived sessions with high security requirements

PKCE for Public Clients

Proof Key for Code Exchange (PKCE) is critical for public clients like mobile apps and single-page applications that cannot securely store a client secret. Generate a random code verifier and create a code challenge hash to prevent authorization code interception attacks.

The attacker who intercepts an authorization code cannot exchange it without the original code verifier, making token theft significantly more difficult even if the code is compromised.

Essential for mobile apps, SPAs, and native applications

Token Introspection

Use the token introspection endpoint to validate token status at runtime. Query whether a token is still active, check expiration times, and verify scope validity. This is useful for shared resources that need to validate tokens from multiple clients.

Implement caching with appropriate TTLs to reduce latency while maintaining security. Always handle introspection failures gracefully and treat inactive tokens as unauthorized requests.

Use for real-time token validation in resource servers

Token Revocation

Implement immediate token revocation when users log out or change their password. The token revocation endpoint allows clients to request token invalidation, preventing further use even before natural expiration.

Maintain a revocation list or token blacklist on the server side. For high-security applications, consider synchronous validation across distributed systems to ensure revoked tokens are immediately rejected.

Critical for security-sensitive operations and account changes

OAuth Error Codes

Common OAuth errors and how to handle them

Error CodeDescription
invalid_requestThe request is missing a required parameter or includes an invalid parameter value
unauthorized_clientThe client is not authorized to request an authorization code
access_deniedThe resource owner denied the request
unsupported_response_typeThe authorization server does not support the response type
invalid_scopeThe requested scope is invalid, unknown, or malformed
server_errorThe authorization server encountered an unexpected condition

Ready to Start Building?

Get your API credentials and start integrating Ademero into your application today.

Get API CredentialsDeveloper Support