Skip to main content

OAuth Authorization

Bot can only access limited information of users. To access the profiles, assets, and other data of Mixin Messenger users, the developer needs to apply for authorization from the user.

Requesting Authorization

GET https://www.mixin.one/oauth/authorize?client_id=CLIENT_ID&scope=PROFILE:READ+ASSETS:READ&response_type=code&return_to=

Parameters

client_id
*required
Application client_id
scope
*required
Requested permissions
response_type
*required
Use `code` to return authorization code
stateA random string generated by your application, which you’ll verify later.

state parameter is optional and could enhance security with PKCE, details in https://www.oauth.com/oauth2-servers/pkce/authorization-request.

Parameters

client_id
*required
Application client_id
scope
*required
Requested permissions
response_type
*required
Use `code` to return authorization code
stateA random string generated by your application, which you’ll verify later.
code_challengeThe code challenge generated by your app, it's a SHA256 hash of your code verifier. For more information about it, please https://www.oauth.com/oauth2-servers/pkce/authorization-request
code_challenge_methodThe code challenge method, please set it to `SHA256`

Get Access Token

After successful authorization, the page will automatically jump to the application's OAuth URL. The callback URL will be accompanied by the authorization code, and the developer would then request other information to sign.

POST /oauth/token

Get the information that OAuth signature would need.

Endpoint URL

 https://api.mixin.one/oauth/token

Payload

{
"client_id": "user's client_id",
"code": "authorization code returned by the successful authorization callback",
"client_secret": "application's app secret"
"code_verifier": "",
"ed25519": "ed25519 random public key, client need to save the private key to sign message"
}

Example request

curl -i -X POST -H "Content-Type: application/json"  https://api.mixin.one/oauth/token --data PAYLOAD
Response
{
"ed25519": "ed25519 random public key of server",
"authorization_id": "id of user authorization",
"scope": "list of permissions that the user has given, e.g. 'PROFILE:READ ASSETS:READ'"
}

Revoking Authorization

Since Users can revoke authorization in Mixin Messenger Settings, or the authorization will expire after a year. Developers should process the expired token.