#### Obtaining tokens for users Every request to the Kantata OX API must be accompanied by a valid OAuth token, indicating that your application has been authorized by the Kantata OX user in question. When you register an application with us, we'll provide you with a secret key. That key is unique to your application, and shouldn't be shared with anyone else. Treat it like a password. You'll need it to request user tokens. To authorize your application for Kantata OX API access and obtain a user token, follow the below steps for each Kantata OX user: Note: If you are using an OAuth2 library, many of these steps will be handled for you. 1. Request a short-term code, granted when the Kantata OX user agrees to allow your application access. Send your user to `/oauth/authorize` with the REQUIRED parameters `client_id`, `response_type`, and `redirect_uri`. * `client_id` is the ID assigned to your application by Kantata OX * `response_type` must be set to "code" * `redirect_uri` must be set to a URL where your application can accept codes and then exchange them for access tokens. It should match the `redirect_uri` specified when you registered your application. Here is an example URL that an application located at "myapp.com" might use. (Linebreaks are not included in the URL.) ```curl https://app.mavenlink.com/oauth/authorize?response_type=code&client_id=abc123&redirect_uri=http%3A%2F%2Fmyapp.com%2Foauth%2Fcallback ``` 2. The user will be asked by Kantata OX if they want to authorize your application to interact with Kantata OX on their behalf. If something goes wrong (like the user refused to authorize your application), Kantata OX will redirect to the `redirect_uri` with query parameters providing information about the error. For example, if authorization is denied, the user will be redirected to: ```curl $REDIRECT_URI?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request. ``` If the user allows your application, then Kantata OX will redirect to the `redirect_uri` with query parameters providing your application with a time-limited code that your application can exchange for an access token within the next 5 minutes. Here is an example redirection with granted access: ```curl $REDIRECT_URI?code=abc123 ``` 3. Your application exchanges the code for an access token Now that your application has a code, it should make a POST request directly to Kantata OX at `https://app.mavenlink.com/oauth/token` to exchange the code for an access token that will allow continued interaction with the Kantata OX API. The request must include the `client_id`, `client_secret`, `grant_type`, `code`, and `redirect_uri` parameters. * `client_id` is the ID assigned to your application by Kantata OX * `client_secret` is the secret token assigned to your application by Kantata OX * `grant_type` must be set to "authorization_code" in order to exchange a code for an access token * `code` is the value that was returned in the `code` query parameter when Kantata OX redirected back to your `redirect_uri` * `redirect_uri` is the exact same value that you used in the original request to /oauth/authorize If the request is invalid for some reason, an error response like the one described above will be returned. However, the parameters will be returned in the response body, encoded as JSON, instead of in the URL encoded as query parameters. If the request is valid, Kantata OX will provide a response body, encoded in JSON, containing `access_token` and `token_type`. * `access_token` is the token that your application will use to authenticate requests to the Kantata OX API as this user * `token_type` will be "bearer" 4. Your application uses the access token to make authenticated requests to the Kantata OX API At this point, your application can use the access token to authenticate requests made to the Kantata OX API as described above in the [Authentication](#authentication) section.