The Base API supports the industry-adopted standard OAuth 2.0 protocol.

We allow you to use OAuth 2.0 via one of four flows:

  • Authorization Code Grant - use it if you want to authorize a web application.

  • Implicit Grant - use it if you want to authorize a user-agent, like a desktop or a mobile application.

  • Resource Owner Password Credentials Grant - use it if you want to authenticate directly via Base API using resource owner’s password credentials.

  • Refresh Token Grant - use it to renew an access token when the current one expires.


Retrieve an Authorization Grant

GET /oauth2/authorize

Retrieve an authorization grant. OAuth 2.0 supports two authorization flows:

There is no direct return value. When the resource owner grants an access to your client application Base redirects back to the redirection URI - redirect_uri - and includes an authorization grant, of the type specified by the response_type, in either the query or the fragment of the URI.

Authorization Code Flow

If you follow the Authorization Code Flow the redirection URI will include the following query parameters:

ParameterDescription
codeAn authorization code, which can be used to obtain an access token.
stateThe same value as passed to /oauth2/authorize

Implicit Flow

If you choose to follow the Implicit Flow the redirection URI will include the following parameters in the URI’s fragment:

ParameterDescription
access_tokenAn access token
token_typeA token type. Set to bearer.
expires_inAn expiration time. Set to one hour in seconds - 3600.
refresh_tokenA refresh token.
scopeThe scope of the access token. It must be present only if the requested scope is different from the default.

JSON Format

NameTypeRead-onlyMandatoryDescription
response_typestringfalsetrueAuthorization grant type requested. If you want to follow Authorization Code Flow, use code and if you want to use Implicit Flow, use token.
client_idstringfalsetrueThe unique identifier of the client you received from registration.
redirect_uristringfalsetrueThe URL you registered as the Callback URL during the client registration.
scopestringfalsetrueA list of space-delimited scopes of the access request. Possible values: read, write, profile
statestringfalsefalseAn opaque string value used to maintain state between the request and callback. The parameter is used to protect against Cross-Site Request Forgery (CSRF).

Allowed for

  • Agents
  • Admins

Using cURL

curl -v -X GET https://api.getbase.com/oauth2/authorize?response_type=token&client_id=%24CLIENT_ID&redirect_uri=https%3A%2F%2Fexample.com%2Foauth%2Fcallback&scope=read&state=%24CSRF_TOKEN \

Retrieve an Access Token

POST /oauth2/token

Retrieves an access token. In order to retrieve a bearer access token and a refresh token, a client application makes a request to the token endpoint using the application/x-www-form-urlencoded format.

The following OAuth 2.0 flows are supported:

Notice that every request to the OAuth token endpoint requires client authentication. To authenticate an application use the standard Authorization header using basic authentication scheme, where username is the client_id and password is the client_secret.

The response body will include the following fields:

ParameterDescription
access_tokenAn access token
token_typeA token type. Set to bearer.
expires_inAn expiration time. Set to one hour in seconds - 3600.
refresh_tokenA refresh token.
scopeThe scope of the access token. It must be present only if the requested scope is different from the default.

JSON Format

NameTypeRead-onlyMandatoryDescription
grant_typestringfalsetrueA grant type. If you want to follow Authorization Code Flow then use authorization_code and if you want to use Resource Owner Password Credentials Flow, use password.
client_idstringfalsetrueA unique client identifier
client_secretstringfalsetrueA unique client secret
redirect_uristringfalsefalseThe redirection URI that was included in the authorization request. Required if grant_type is equal to authorization_code.
scopestringfalsefalseA list of space-delimited scopes of the access request.
codestringfalsefalseThe value of the authorization code you received from the authorization server in the authorization request. Required if grant_type is equal to authorization_code.
usernamestringfalsefalseThe resource owner username. Required if grant_type is equal to password.
passwordstringfalsefalseThe resource owner password. Required if grant_type is equal to password.

Allowed for

  • Agents
  • Admins

Using cURL

curl -v -X POST https://api.getbase.com/oauth2/token \-H "Content-Type: application/x-www-form-urlencoded" \-H "Authorization: Basic Base64($CLIENT_ID:$CLIENT_SECRET)" \-d 'grant_type=authorization_code&code=$AUTHORIZATION_CODE&redirect_uri=$CLIENT_REDIRECT_URI'

Example response

HTTP/1.1 200 OK
Cache-Control: no-storePragma: no-cache
{  "access_token": "$ACCESS_TOKEN",  "token_type": "bearer",  "expires_in": 3600,  "scope": "read write profile",  "refresh_token": "$REFRESH_TOKEN"}

Revoke a token

POST /oauth2/revoke

Revoke a single access token or a single refresh token and all its related access tokens. This is done in order to notify us that tokens are no longer used so we can clean up security credentials. In order to revoke a token, a client application makes a request to the revocation endpoint using the application/x-www-form-urlencoded format.

Notice that every request to the OAuth revocation endpoint requires client authentication. To authenticate an application use the standard Authorization header using basic authentication scheme, where username is the client_id and password is the client_secret.

ParameterDescription
tokenThe token the client wants to revoke.
token_type_hintA hint about the type of the token. Possible values: access_token, refresh_token

Allowed for

  • Agents
  • Admins

Using cURL

curl -v -X POST https://api.getbase.com/oauth2/revoke \-H "Content-Type: application/x-www-form-urlencoded" \-H "Authorization: Basic Base64($CLIENT_ID:$CLIENT_SECRET)" \-d 'token=$REFRESH_TOKEN&token_type_hint=refresh_token'

Example response

HTTP/1.1 200 OK

Retrieve a CSRF token

GET /oauth2/csrf_token

When you use OAuth 2 either Authorization Code Flow or Implicit Flow, it is highly recommended to pass an opaque string value called state to maintain a state between the request and callback. This parameter is used to protect against Cross-Site Request Forgery (CSRF) attacks. We provide you with an endpoint which returns safe, pseudo-random, anti-CSRF tokens. You can use your own as well. Either way it is highly recommended to use the state parameter during requests.

ParameterDescription
tokenThe token the client wants to revoke.
token_type_hintA hint about the type of the token. Possible values: access_token, refresh_token

Allowed for

  • Agents
  • Admins

Using cURL

curl -v -X GET https://api.getbase.com/oauth2/csrf_token \-H "Accept: application/json" \

Example response

HTTP/1.1 200 OK
Cache-Control: no-storePragma: no-cache
{  "csrf_token": "$ANTI_CSRF_TOKEN",  "generated_at": "2014-09-28T16:32:56Z"}