Authorization
header (recommended):client_id
as well as the client_secret
or redirect_uri
, depending on the auth flow your application will use.document.location.hash
.state
parameter (you should), this will also be returned and should be validated against your original request prior to commencing any interaction.code
as the requested response type.state
parameter if it was included in your original request. This should be validated before continuing.expires_in
- which is the number of seconds the token is valid for. By default, this is 14 days. When this period has elapsed your application will need to obtain a new access token. This can be done either by repeating the original authentication flow, or using a refresh token if provided.access_token
, successful authentication requests may also contain a refresh_token
. This can be used to renew the session at any time, extending access as long as both the application registration and user are still valid.