Authorization Request

This is the first step in the OAuth Process. The purpose of this step is for an admin from your side to allow the OAuth integration to be done. This is a one-time process.

  • This authorization once done will be valid until the lifetime of the admin

  • The Authorization code provided in the response has an expiry of 5min only, within which the admin should allow the Oauth integration to continue.

Hit the following URL from your browser and you would obtain a pop-up window that asks you to Allow or Deny the authorization. In response, it would redirect to the location specified by you (redirect_uri) along with authorization code appended to the URL.,user_session

  • client_id* - This is the client_id value which you got after registration.

  • response_type* - Although Oauth supports different response_type values. The only value supported by Xoxoday is code

  • redirect_uri* - The URL domain must match to URL which you have shared in the registration STEP 1.

  • scope* - The scope values must be the values mentioned in the client registration. If there are multiple scopes send them separated by a comma.

Please note, if you are generating a company session in the next steps then user_session scope is compulsory.

  • If all the above parameters are validated successfully and the user is already authenticated, then the user is redirected to the following authorization consent page

  • If the user is not authenticated, then the below error will be shown in URL bar following which the user will be redirected to the compass login page.

{client_redirect_uri}?error=access_denied&error_description=The+user+denied+the+request&st ate={client_state} i.e a message saying access denied

  • If the user allowed the request then the browser will be redirected to the following URL and will contain the authentication code appended in the following form


In the above-redirected URL, code is a temporary token created on account of client allowed access which is valid for 5 min duration. Later this code is exchanged for access_token which is used for accessing xoxoday resources granted based on the scopes allowed by the user.

Last updated