OAuth 2.0 Flow

Elixpo Accounts implements the standard OAuth 2.0 Authorization Code Flow. This flow is recommended for web and mobile applications that communicate with a backend server where secrets can be safely stored.

Step 1: Redirect to Authorization

Redirect the user's browser to the authorize endpoint. If the user is not authenticated, they will be prompted to log in or create an account.

GET https://accounts.elixpo.com/oauth/authorize
  ?response_type=code
  &client_id=YOUR_CLIENT_ID
  &redirect_uri=https://yourapp.com/callback
  &state=RANDOM_CSRF_TOKEN
  &scope=openid profile email

Query Parameters

Step 2: Handle the Callback

Once authorized, the user is redirected back to the specified redirect_uri with the following params:

Approved: https://yourapp.com/callback?code=code_abc123&state=YOUR_STATE

Denied: https://yourapp.com/callback?error=access_denied&state=YOUR_STATE

Always verify the returned state matches the original CSRF token sent in Step 1 before proceeding.

Step 3: Exchange Code for Tokens

From your secure server backend, execute a POST request to exchange the single-use authorization code (expires in 10 minutes) for access and refresh tokens.

POST https://accounts.elixpo.com/api/auth/token
Content-Type: application/json

{
  "grant_type": "authorization_code",
  "code": "code_abc123",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "redirect_uri": "https://yourapp.com/callback"
}

Response:

{
  "access_token": "eyJ...",
  "token_type": "Bearer",
  "expires_in": 900,
  "refresh_token": "eyJ...",
  "scope": "openid profile email"
}

Step 4: Refresh Tokens

Access tokens expire in 15 minutes. Send a refresh token request to exchange a refresh token for a new set of tokens. Refresh tokens are rotated (one-time use), immediately invalidating the old token.

POST https://accounts.elixpo.com/api/auth/token
Content-Type: application/json

{
  "grant_type": "refresh_token",
  "refresh_token": "eyJ...",
  "client_id": "YOUR_CLIENT_ID"
}