OAuth
Reminder: if you are using an app/client ID in sandbox, you must use sandbox.motar.io as the endpoint for your requests.
Reminder: new apps connecting to MOTAR should use PKCE flow, as it offers more security. MOTAR may deprecate Implicit flow in the future.
Render OAuth Login Page
GET https://api.motar.io/oauth/signin
This endpoint renders the OAuth login page. This page can be displayed in a browser or an app's webview. Your app should be configured to accept a redirect from the OAuth screen and should capture the resulting tokens to maintain the logged-in user's session.
Query Parameters
| Name | Type | Description |
|---|---|---|
clientId* | string | Your app's client ID, generated in MOTAR Studio. |
response_type* | string | Determines what auth flow to use. Can be "code" or "implicit". "Code" auth flow will generate an auth-code that can be used to retrieve an auth token, while "implicit" will generate an auth and refresh token directly. |
redirect_uri* | string | After logging in, the user will be redirected to this URI. Must be registered for your app in MOTAR Studio beforehand. |
state* | string | This will be passed through the auth flow and to the redirect URI. Can be any arbitrary string. |
app_login | string | Determines whether or not the OAuth screen should include the "Login via MOTAR App" button. Set to "true" if your client is an app to allow users to login if they have the MOTAR app. |
nonce | string | An arbitrary value provided by the client that is unique to this request. This value will be returned in the token response as a way for the client to validate the request and protect against CSRF attacks. |
Refresh or Generate Auth Token
POST https://api.motar.io/oauth/token
Generates an auth token with a code or refreshes a session using a refresh token.
Request Body
| Name | Type | Description |
|---|---|---|
refresh_token | string | Refresh token generated by the OAuth flow. Required if using grant_type "refresh_token" |
code | string | An authorization code generated from the OAuth flow. Required if using grant_type "authorization_code". |
client_secret | string | Your app's client secret from MOTAR studio required for grant_type "refresh_token". |
clientId | string | Your app's client ID from MOTAR Studio. |
grant_type | string | Can be "refresh_token" if refreshing an existing session or "authorization_code" if generating an auth token with a code. |
Logout
POST https://api.motar.io/oauth/logout
Logs out a user that has been logged in via OAuth screen.
Request Body
| Name | Type | Description |
|---|---|---|
refresh_token | string | Refresh token generated by OAuth flow. |
Validate a Token
GET https://api.motar.io/oauth/token/validate
A simple request to validate the attached authentication token.
Headers
| Name | Type | Description |
|---|---|---|
Authentication | string | Auth token generated by user login. |
Validate a Session
GET https://api.motar.io/oauth/session/validate
Validates the logged-in user's session. If a user's access has been revoked by MOTAR or a 3rd party since the user logged in, this endpoint will return the appropriate error as indicated below.
Headers
| Name | Type | Description |
|---|---|---|
Authentication* | string | Auth token generated by user login. |
Last updated