MyNickname OAuth API Docs
Guides and reference materials to help you get started, integrate, optimize, and troubleshoot your use of the MyNickname OAuth API.
🚀 OAuth 2.0 Authorization Code Grant Flow
Authorization Request:
GET https://api.mynickname.com/oauth/authenticate
Query params
| Parameter |
Value |
Description |
response_type |
code |
|
client_id |
|
Client ID of your app |
redirect_uri |
|
Redirect URI of your app |
scope |
|
A space delimited list of scopes (e.g. basic email) |
state |
|
CSRF token (optional but highly recommended). You should store the value of the CSRF token in the user’s session to be validated when they return. |
- The request with query parameters:
GET https://api.mynickname.com/oauth/authenticate?response_type=code&client_id=[client_id]&redirect_uri=[redirect_uri]&scope=[scope]&state=[state]
- The authorization server authenticates the user (if not already authenticated) and asks the user to authorize the client application's request for access.
- If the user grants the request, the authorization server redirects the user back to the client's
redirect_uri with the following query parameters:
| Parameter |
Description |
code |
Authorization code that is used in Token Request |
state |
state parameter sent in the original request. You should compare this value with the value stored in the user’s session to ensure the authorization code is obtained in response to requests made by this client rather than another client application. |
Token Request:
POST https://api.mynickname.com/oauth/access_token
Request body params
| Parameter |
Value |
Description |
grant_type |
authorization_code |
|
client_id |
|
Client ID of your app |
client_secret |
|
Client Secret of your app |
redirect_uri |
|
Redirect URI of your app |
code |
|
The authorization code from the authorization callback. The value should be URL decoded. |
- The client application exchanges the authorization
code for an access token by making a POST request to the authorization server's token endpoint.
- The request includes the
grant_type=authorization_code, client_id, client_secret, redirect_uri, and code.
- The authorization server will respond with a JSON object containing the following properties:
| Parameter |
Description |
token_type |
With the value Bearer |
expires_in |
An integer representing the TTL of the access token |
access_token |
The access token for future calls on behalf of the user. |
refresh_token |
The token to refresh access_token. |
Accessing Protected Resources:
Endpoint to retrieve the main nickname data (the nickname under which the user is authorized):
GET https://api.mynickname.com/v1/nickname
Endpoint to retrieve data for all of the user's nicknames:
GET https://api.mynickname.com/v1/nicknames
Request Headers
| Header |
Value |
Description |
Authorization |
Bearer access_token |
Include the access token for authentication |
- The client application uses the access token to access the user's protected resources by including it in the
Authorization header of HTTP requests with the value Bearer access_token.
- The API server will respond with a JSON object containing the nickname data.
Refresh Token:
POST https://api.mynickname.com/oauth/refresh_token
Request body params
| Parameter |
Value |
Description |
grant_type |
refresh_token |
|
client_id |
|
Client ID of your app |
client_secret |
|
Client Secret of your app |
refresh_token |
|
The refresh_token from the Token Request response |
- When the
access_token expires, the client can use the refresh_token to obtain a new access_token without requiring the user to re-authenticate.
- The client makes a POST request to the token refresh endpoint with
grant_type=refresh_token, refresh_token, client_id, and client_secret.
🪖 OAuth 2.0 Authorization Code Grant with PKCE Flow
Authorization Request:
GET https://api.mynickname.com/oauth/authenticate
Query params
| Parameter |
Value |
Description |
response_type |
code |
|
client_id |
|
Client ID of your app |
redirect_uri |
|
Redirect URI of your app |
scope |
|
A space delimited list of scopes (e.g. basic email) |
code_challenge |
|
Created by hashing the code_verifier with SHA-256 and encoding using URL-safe Base64 |
state |
|
CSRF token (optional but highly recommended). Store the CSRF token value in the user’s session to validate when they return. |
- The client application generates a
code_verifier, a random string, and creates a code_challenge by hashing the code_verifier with SHA-256 and encoding it using URL-safe Base64 (RFC 7636). The code_challenge is sent to the authorization server, while the code_verifier is kept secret and used later during the token exchange.
- The request with query parameters:
GET https://api.mynickname.com/oauth/authenticate?response_type=code&client_id=[client_id]&redirect_uri=[redirect_uri]&scope=[scope]&code_challenge=[code_challenge]&state=[state]
- The authorization server authenticates the user (if not already authenticated) and asks the user to authorize the client application's request for access.
- If the user grants the request, the authorization server redirects the user back to the client's
redirect_uri with the following query parameters:
| Parameter |
Description |
code |
Authorization code that is used in Token Request |
state |
The state parameter sent in the original request. You should compare this value with the value stored in the user’s session to ensure the authorization code is obtained in response to requests made by this client rather than another client application. |
Token Request:
POST https://api.mynickname.com/oauth/access_token
Request body params
| Parameter |
Value |
Description |
grant_type |
authorization_code |
|
client_id |
|
Client ID of your app |
code_verifier |
|
Random string from which the code_challenge was created |
redirect_uri |
|
Redirect URI of your app |
code |
|
The authorization code from the authorization callback. The value should be URL decoded. |
- The client application exchanges the authorization
code for an access token by making a POST request to the authorization server's token endpoint.
- The request includes the
grant_type=authorization_code, client_id, code_verifier, redirect_uri, code.
- The authorization server will respond with a JSON object containing the following properties:
| Parameter |
Description |
token_type |
With the value Bearer |
expires_in |
An integer representing the TTL of the access token |
access_token |
The access token for future calls on behalf of the user |
refresh_token |
The token to refresh access_token |
Accessing Protected Resources:
Endpoint to retrieve the main nickname data (the nickname under which the user is authorized):
GET https://api.mynickname.com/v1/nickname
Endpoint to retrieve data for all of the user's nicknames:
GET https://api.mynickname.com/v1/nicknames
Request Headers
| Header |
Value |
Description |
Authorization |
Bearer access_token |
Include the access token for authentication |
- The client application uses the access token to access the user's protected resources by including it in the
Authorization header of HTTP requests with the value Bearer access_token.
- The API server will respond with a JSON object containing the nickname data.
Refresh Token:
POST https://api.mynickname.com/oauth/refresh_token
Request body params
| Parameter |
Value |
Description |
grant_type |
refresh_token |
|
client_id |
|
Client ID of your app |
client_secret |
|
Client Secret of your app |
refresh_token |
|
The refresh_token from the Token Request response |
- When the
access_token expires, the client can use the refresh_token to obtain a new access_token without requiring the user to re-authenticate.
- The client makes a POST request to the token refresh endpoint with
grant_type=refresh_token, refresh_token, client_id, and client_secret.
âť” Any questions about integrating or working with the API?
Contact us
