Oauth2 Authentication

Oauth2 is the preferred method of authenticating access to the API. Oauth2 allows authorization without the external application getting the user's email address or password. Instead, the external application gets a token that authorizes access to the user's account. The user can revoke the token for one application without affecting access by any other application.

Registering an Application

An external application must be registered with Aha! before it can use Oauth2 to authenticate users.

A registered application can be used by all users of Aha!, not just the users of the account of the person registering the application. However, registered applications are not discoverable—simply registering your application does not make it visible to any other Aha! users (even users in your own account)—it is up to you to publicize your application.

Register your application

Once an application is registered you can use the client ID, client secret and redirect URL in the authorization flow.

Authorization Flow

To authorize an external application to authenticate as a user, the application uses browser redirects to send the user to Aha!. Aha! supports the Oauth2 authorization code flow (suitable for server based applications), and implicit grant flow (suitable for browser based applications).

1. Redirect user to request access

The user should be redirected in their browser to the Ouath2 authorize URL, passing the application specific parameters:

GET https://<subdomain>.aha.io/oauth/authorize


Name Description
client_id Required. The client ID created when the application was registered.
redirect_uri Required. The URL where the user will be redirected after they have authorized the application. This must be the same as the redirect URL provided when the application was registered.
response_type Required. Controls which flow will be used to return the access_token. Using a value of code will use the authorization code flow and using a value of token will use the implicit grant flow.

2. Aha! redirects user back to application

Once the user authorizes the application their browser will be redirected back to the redirect_uri.

If the implicit grant flow is being used then the URL the user is redirected to will include a parameter named access_token which is the value of the access token that can be directly used with the API.

If the authorization code flow is being used then Aha! will include a parameter in the URL named code which must be exchanged for the access token by making another request to Aha! in the next step.

3. Request access token

The application exchanges the code from the previous step for an access token. In this step the application uses its secret which provides an additional level of security since Aha! can be sure that it is an authorized application that is making the request on behalf of the user.

POST https://<subdomain>.aha.io/oauth/token


Name Description
code Required. The code value that was returned by the previous step in the flow.
client_id Required. The client ID created when the application was registered.
client_secret Required. The client secret that was created when the application was registered.
grant_type Required. Must contain the value authorization_code.
redirect_uri Required. This must be the same as the redirect URL provided when the application was registered.

For example:

curl "https://mydomain.aha.io/oauth/token" -X POST --data "client_id=a73bbb264c7432421b9abc05fae6bf9379b9fb49bbefdf84ab036487fd5b&client_secret=467b9a301fedac887a46a23d3f29d76afdff30ac9bbf6c8c&code=10dbffca01ce6985868b4cee84e0444f5bcdda104b60a13038c1d74b72e6797f&grant_type=authorization_code&redirect_uri=http://lvh.me/app_callback.html" 

The response to this POST will be a JSON string containing the access token that can then be used to access the API:



API Resources