Half-baked!

APIs based on OAuth-based authorization are not fully ready yet. Upcoming OAuth APIs will be subject to change as we tune them in response to user feedback.

OAuth Grants

A grant is a means of authorization with OAuth. There are several ways to authenticate, which will depend on your use case.

Every single grant method will inevitably return an access token. This is used as a session for your API requests.

Coming soon: PIN-based OAuth

Command-line clients will have trouble integrating with OAuth via implicit and auth code grants, as they will be unable to deal with HTTP redirects, and client credentials grants can only be scoped to the app owner. A PIN-based OAuth grant is in the works, and will be released later on.

Client credentials grant
Recommended for: System daemons

Client credential grants allow for simple machine-to-machine authorization. This is what you should be using if performing authorization on behalf of other users is not important to you.

curl -XPOST "https://backpack.tf/oauth/access_token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Accept: 1.0" \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "client_id=myawesomeapp" \
--data-urlencode "client_secret=abc123" \
--data-urlencode "scope=read write"
Implicit grant
Recommended for: User-agent-based applications

An implicit grant is the simplest way to authorize a user with OAuth. However, it lacks support for refresh tokens.

state is optional, but recommended

state acts as a CSRF token that, if set, will be returned in the authorization response. This should be generated and checked to prevent malicious authorizations.

https://backpack.tf/oauth/authorize?response_type=token&client_id=myawesomeapp&scope=read write&state={CSRF_TOKEN}

After logging in, the user will be redirected to the redirect URI you gave to your app.

Authorization code grant
Recommended for: Web applications, native applications

Unlike implicit grants, the authorization code grant allows you to refresh the returned access token. You should be using this method if your application has a secure server-side component.

Step one: authorizing the client

The first step is to redirect the user to backpack.tf OAuth gateway.

As with implicit grants, it is recommended to set the state field.
https://backpack.tf/oauth/authorize?response_type=code&client_id=myawesomeapp&scope=read write&state={CSRF_TOKEN}

Step two: get the access token

curl -XPOST "https://backpack.tf/oauth/access_token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Accept: 1.0" \
--data-urlencode "grant_type=authorization_code" \
--data-urlencode "client_id=myawesomeapp" \
--data-urlencode "client_secret=abc123" \
--data-urlencode "scope=read write"
--data-urlencode "code={AUTHORIZATION_CODE}"
Refresh grant
Recommended for: Refreshing an expired access token

Certain grants will return a refresh_token value, which can be used to refresh an expired access token.

curl -XPOST "https://backpack.tf/oauth/access_token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Accept: 1.0" \
--data-urlencode "grant_type=refresh_token" \
--data-urlencode "client_id=myawesomeapp" \
--data-urlencode "client_secret=abc123" \
--data-urlencode "refresh_token={REFRESH_TOKEN}"