OAuth2 Authentication

OAuth2 is the preferred method of authenticating access to the API. OAuth2 allows authorization without the external application getting the user's email address or password. Instead, the external application gets a token that authorizes access to the user's account. The user can revoke the token for one application without affecting access by any other application.

Registering an Application

An external application must be registered with Aha! before it can use OAuth2 to authenticate users.

A registered application can be used by all users of Aha!, not just the users of the account of the person registering the application. However, registered applications are not discoverable—simply registering your application does not make it visible to any other Aha! users (even users in your own account)—it is up to you to publicize your application.

Register your application

Once an application is registered you can use the client ID,client secret and redirect URL in the authorization flow.

Authorization Flow

To authorize an external application to authenticate as a user, the application uses browser redirects to send the user to Aha!. Aha! supports the OAuth2 authorization code flow (suitable for server based applications), and implicit grant flow (suitable for browser based applications).

Redirect user to request access

The user should be redirected in their browser to the OAuth2 authorize URL, passing the application specific parameters:

GET https://<subdomain>.aha.io/oauth/authorize



client_id *

Required. The client ID created when the application was registered.

redirect_uri *

Required. The URL where the user will be redirected after they have authorized the application. This must be the same as the redirect URL provided when the application was registered.

response_type *

Required. Controls which flow will be used to return the access_token. Using a value of code will use the authorization code flow and using a value of token will use the implicit grant flow.

Aha! redirects user back to application

Once the user authorizes the application their browser will be redirected back to the redirect_uri.

If the implicit grant flow is being used then the URL the user is redirected to will include a parameter named access_token which is the value of the access token that can be directly used with the API.

If the authorization code flow is being used then Aha! will include a parameter in the URL named code which must be exchanged for the access token by making another request to Aha! in the next step.

This redirect will also include a account_subdomain parameter. If the user was sent to secure.aha.io at the start of the flow, this parameter contains the subdomain of that user's account. You can use this subdomain for the request access token flow below, or for making API requests

Request access token

The application exchanges the code from the previous step for an access token. In this step the application uses its secret which provides an additional level of security since Aha! can be sure that it is an authorized application that is making the request on behalf of the user.

POST https://<subdomain>.aha.io/oauth/token




code *

Required. The code value that was returned by the previous step in the flow.

client_id *

Required. The client ID created when the application was registered.

client_secret *

Required. The client secret that was created when the application was registered.

grant_type *

Required. Must contain the value authorization_code.

redirect_uri *

Required. This must be the same as the redirect URL provided when the application was registered.

For example:

curl "https://mydomain.aha.io/oauth/token" -X POST --data "client_id=a73bbb264c7432421b9abc05fae6bf9379b9fb49bbefdf84ab036487fd5b&client_secret=467b9a301fedac887a46a23d3f29d76afdff30ac9bbf6c8c&code=10dbffca01ce6985868b4cee84e0444f5bcdda104b60a13038c1d74b72e6797f&grant_type=authorization_code&redirect_uri=http://lvh.me/app_callback.html" 

The response to this POST will be a JSON string containing the access token that can then be used to access the API: