OAuth Authorization
Bot can only access limited information of users. To access the profiles, assets, and other data of Mixin Messenger users, the developer needs to apply for authorization from the user.
Requesting Authorization
GET https://www.mixin.one/oauth/authorize?client_id=CLIENT_ID&scope=PROFILE:READ+ASSETS:READ&response_type=code&return_to=
state parameter is optional and could enhance security with PKCE, details in https://www.oauth.com/oauth2-servers/pkce/authorization-request.
Get Access Token
After successful authorization, the page will automatically jump to the application's OAuth URL. The callback URL will be accompanied by the authorization code, and the developer would then request other information to sign.
POST /oauth/token
Get the information that OAuth signature would need.
Endpoint URL
https://api.mixin.one/oauth/token
Payload
{
"client_id": "user's client_id",
"code": "authorization code returned by the successful authorization callback",
"client_secret": "application's app secret"
"code_verifier": "",
"ed25519": "ed25519 random public key, client need to save the private key to sign message"
}
Example request
curl -i -X POST -H "Content-Type: application/json" https://api.mixin.one/oauth/token --data PAYLOAD
{
"ed25519": "ed25519 random public key of server",
"authorization_id": "id of user authorization",
"scope": "list of permissions that the user has given, e.g. 'PROFILE:READ ASSETS:READ'"
}
Revoking Authorization
Since Users can revoke authorization in Mixin Messenger Settings, or the authorization will expire after a year. Developers should process the expired token.