Bot can only access limited information of users. To access the profiles, assets, and other data of Mixin Messenger users, the developer needs to apply for authorization from the user.
state parameter is optional and could enhance security with PKCE, details in https://www.oauth.com/oauth2-servers/pkce/authorization-request.
Get Access Token
After successful authorization, the page will automatically jump to the application's OAuth URL. The callback URL will be accompanied by the authorization code, and the developer would then request other information to sign.
Get the information that OAuth signature would need.
"client_id": "user's client_id",
"code": "authorization code returned by the successful authorization callback",
"client_secret": "application's app secret"
"ed25519": "ed25519 random public key, client need to save the private key to sign message"
curl -i -X POST -H "Content-Type: application/json" https://api.mixin.one/oauth/token --data PAYLOAD
"ed25519": "ed25519 random public key of server",
"authorization_id": "id of user authorization",
"scope": "list of permissions that the user has given, e.g. 'PROFILE:READ ASSETS:READ'"
Since Users can revoke authorization in Mixin Messenger Settings, or the authorization will expire after a year. Developers should process the expired token.