Skip to content
Last updated

Authentication

Your application can authenticate with our API using two different methods. Both options can be configured directly in the app under:

Settings → Apps & API

1. OAuth 2.0 Authorization Flow

OAuth provides a secure and flexible authentication mechanism for applications that need delegated access on behalf of a user.

We support the Authorization Code Grant, available in two variants:

1.1 Authorization Code Grant with Client Secret

Use this flow when your application can securely store a Client Secret, such as backend servers or confidential applications.

Key Characteristics:

  • Requires Client ID and Client Secret
  • Uses redirect-based authorization
  • Suitable for server-side applications

Typical Flow:

  1. Redirect user to the OAuth authorization URL.
  2. User grants access.
  3. The app receives an authorization code.
  4. Exchange the authorization code for an access token using the client secret.
  5. Use the access token to call the API.

1.2 Authorization Code Grant with PKCE

For public or mobile applications that cannot securely store a client secret, you can use the PKCE (Proof Key for Code Exchange) variant.

Key Characteristics:

  • No client secret required
  • Uses code_verifier and code_challenge for enhanced security
  • Recommended for mobile, desktop, or browser-based apps

Typical Flow:

  1. Generate a code verifier and challenge.
  2. Redirect the user to the authorization URL with the PKCE challenge.
  3. User grants access.
  4. Receive the authorization code.
  5. Exchange the authorization code for an access token using the code verifier.
  6. Access the API using the token.

2. OAuth Endpoints

The OAuth 2.0 flows use the following endpoints:

Authorization Endpoint

https://api.kanbert.com/oauth/authorize

This endpoint is used to initiate the OAuth flow. It handles:

  • User login
  • The consent screen
  • Returning the authorization code to your redirect URL

Example (client secret or PKCE):

GET https://api.kanbert.com/oauth/authorize
  ?response_type=code
  &client_id=<your-client-id>
  &redirect_uri=<your-redirect-uri>
  &scope=<requested-scopes>
  &state=<optional-state>

Token Endpoint

https://api.kanbert.com/oauth/token

This endpoint is used to exchange the authorization code for an access token.

Example (Client Secret):

POST https://api.kanbert.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=<authorization-code>
&redirect_uri=<redirect-uri>
&client_id=<client-id>
&client_secret=<client-secret>

Example (PKCE):

POST https://api.kanbert.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=<authorization-code>
&redirect_uri=<redirect-uri>
&client_id=<client-id>
&code_verifier=<your-code-verifier>

3. Direct Access Token

If your integration does not require user authorization, you can generate a direct Access Token from the app.

Ideal for:

  • Automated backend systems
  • Service-to-service communication
  • Scheduled or internal integrations

Use the token in API requests:

Authorization: Bearer <your-access-token>

Configuration Location

Both OAuth credentials and direct Access Tokens can be created and managed inside the app:

Settings → Apps & API

You can:

  • Register new Applications
  • Give a name and decide wether a secret should be generated
  • Configure redirect URLs
  • Receive Client IDs and Client Secrets
  • Create and revoke Access Tokens
Previous page
Next page