Luxstay API

Introduction

We use the The OAuth 2.0 Authorization Framework for securing API endpoints and authorizing API requests. You should read the specification of the framework and grasp some basic understanding about it.

You'll need to register your application before continuing. A registered application is provided with a unique Client ID and Client Secret which will be used in the authorization flow. Note that the Client Secret should not be shared.

There are two grant types will be used to issue access tokens:

  • Authorization Code Grant: authorizing and issuing access tokens for third-party applications.
  • Resource Owner Password Credentials Grant: authorizing and issuing access tokens for first-party applications.

API endpoints requires access token for authorization. The token should be passed via request header using Authorization header followed by the token type and the token itself.

Here are some terminologies you need to known:

  • Client (Application) - An application which accesses protected resources on behalf of the resource owner (such as a user).
  • Grant - A method for acquiring access token.
  • Access Token - A token issued by Luxstay and used to access protected resources (generally via API requests). The format of the token is JWT.
  • Scope - A permission (defined by Luxstay) that applied to the access token.

For a succeeded token request, these keys may appear in the token response:

  • token_type an string representing the token type, typically be Bearer.
  • expires_in an integer representing the TTL of the access token.
  • access_token a JWT signed with the authorization server’s private key.
  • refresh_token an encrypted payload that can be used to refresh the access token when it expires.
Last Updated: 11/18/2018, 9:11:26 AM

Obtain Access and Refresh Tokens Using Authorization Code Grant