OAuth
Last updated
Last updated
Reminder: if you are using an app/client ID in sandbox, you must use sandbox.motar.io as the endpoint for your requests.
Reminder: new apps connecting to MOTAR should use PKCE flow, as it offers more security. MOTAR may deprecate Implicit flow in the future.
GET https://api.motar.io/oauth/signin
This endpoint renders the OAuth login page. This page can be displayed in a browser or an app's webview. Your app should be configured to accept a redirect from the OAuth screen and should capture the resulting tokens to maintain the logged-in user's session.
| Name | Type | Description |
|---|---|---|
POST https://api.motar.io/oauth/token
Generates an auth token with a code or refreshes a session using a refresh token.
POST https://api.motar.io/oauth/logout
Logs out a user that has been logged in via OAuth screen.
GET https://api.motar.io/oauth/token/validate
A simple request to validate the attached authentication token.
GET https://api.motar.io/oauth/session/validate
Validates the logged-in user's session. If a user's access has been revoked by MOTAR or a 3rd party since the user logged in, this endpoint will return the appropriate error as indicated below.
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
| Name | Type | Description |
|---|---|---|
clientId*
string
Your app's client ID, generated in MOTAR Studio.
response_type*
string
Determines what auth flow to use. Can be "code" or "implicit". "Code" auth flow will generate an auth-code that can be used to retrieve an auth token, while "implicit" will generate an auth and refresh token directly.
redirect_uri*
string
After logging in, the user will be redirected to this URI. Must be registered for your app in MOTAR Studio beforehand.
state*
string
This will be passed through the auth flow and to the redirect URI. Can be any arbitrary string.
app_login
string
Determines whether or not the OAuth screen should include the "Login via MOTAR App" button. Set to "true" if your client is an app to allow users to login if they have the MOTAR app.
nonce
string
An arbitrary value provided by the client that is unique to this request. This value will be returned in the token response as a way for the client to validate the request and protect against CSRF attacks.
refresh_token
string
Refresh token generated by the OAuth flow. Required if using grant_type "refresh_token"
code
string
An authorization code generated from the OAuth flow. Required if using grant_type "authorization_code".
client_secret
string
Your app's client secret from MOTAR studio required for grant_type "refresh_token".
clientId
string
Your app's client ID from MOTAR Studio.
grant_type
string
Can be "refresh_token" if refreshing an existing session or "authorization_code" if generating an auth token with a code.
refresh_token
string
Refresh token generated by OAuth flow.
Authentication
string
Auth token generated by user login.
Authentication*
string
Auth token generated by user login.