直达内容

OAuth Authorization

To access the profiles, assets, and other data of Mixin Messenger users, the developer needs to apply for authorization from the user.

Requesting Authorization#

GET https://www.mixin.one/oauth/authorize?client_id=CLIENT_ID&scope=PROFILE:READ+ASSETS:READ&response_type=code&return_to=

参数

client_id
*必须
Application client_id
scope
*必须
Requested permissions
response_type
*必须
Use `code` to return authorization code
stateA random string generated by your application, which you’ll verify later.
code_challengeThe code challenge generated by your app, it's a SHA256 hash of your code verifier. For more information about it, please https://www.oauth.com/oauth2-servers/pkce/authorization-request
code_challenge_methodThe code challenge method, please set it to `SHA256`

Get Access Token#

After successful authorization, the page will automatically jump to the application's OAuth URL, the callback URL will be accompanied by the authorization code and return_to parameters, and the developer will then request a token based on the authorization code:

POST /oauth/token#

return the access token.

API 端点 URL

https://api.mixin.one/oauth/token

请求体

{  "client_id":      "application's client_id",  "code":           "authorization code returned by the successful authorization callback",  "client_secret":  "application's app secret"}

请求示例

curl -i -X POST -H "Content-Type: application/json"  https://api.mixin.one/oauth/token --data PAYLOAD
Response
{  "access_token": "user authorization token",  "scope": "list of permissions that the user has given, e.g. 'PROFILE:READ ASSETS:READ'"}

It is recommended that developers cache the access token and subsequently call the API to access the user data via the access token, to determine whether the user has authorized or not.

Revoking Authorization#

Developers can find the bot and revoke authorization in Mixin Messenger Settings, Privacy and Security, Authorization. Note that revoking authorization will also clear the cached information of the current bot on the client-side, such as cookies.