# Authorization Code Flow The purpose of following the OAuth2 flow is to help you retrieve an authorization code and exchange it for an access_token. Complete details of the specification are available in [RFC 6749 section 4.1](https://www.rfc-editor.org/rfc/rfc6749#section-4.1). We strongly suggest using a standards-compliant [client library](https://oauth.net/code/) to perform the next steps, using the configuration values provided by DailyPay. ## 1. Initiate an OAuth2 request - Construct the request url using the template below, replacing the {scope}, {client_id}, and {redirect_uri} parameters with the configuration values accordingly. - Additionally, generate a state parameter for the specific request, and a code challenge and verifier (used in a later step) for Proof Key Code Exchange. - Make sure to url-encode each parameter e.g. user:read_write becomes user%3aread_write ``` https://auth.dailypay.com/oauth2/auth ?response_type=code &scope={scope} &client_id={client_id} &redirect_uri={redirect_uri} &state={state} &code_challenge={code_challenge} &code_challenge_method=S256 ``` ##### Example ``` https://auth.dailypay.com/oauth2/auth ?response_type=code &scope=user%3aread_write%20openid &client_id=your-client-id &redirect_uri=https%3A%2F%2Fexample.com%2Fcallback &state=9876543fghijklm &code_challenge=hKpKupTM391pE10xfQiorMxXarRKAHRhTfH_xkGf7U4 &code_challenge_method=S256 ``` ## 2. Open a browser window, tab, or secure mobile view to the constructed URL. The user will be prompted to log in or create a new DailyPay account and will be prompted to allow your application to act on their behalf. img ## 3. Handle the code Users will be redirected in the open tab to your callback url with a `code` query parameter, or an `error` and `error_description` if the user did not consent to your application's request or otherwise encountered an error. You will also be returned the `state` parameter. ## 4. Exchange the code for an Access Token Send the following parameters www-form-encoded in the request body to the token endpoint: | Environment | Token Endpoint | | --- | --- | | Production | https://auth.dailypay.com/oauth2/token | | UAT | https://auth.uat.dailypay.com/oauth2/token | ```json { "$ref": "#/components/schemas/AuthCodeFlowCodeExchange", "components": { "schemas": { "AuthCodeFlowCodeExchange": { "type": "object", "title": "Authorization code flow", "required": [ "grant_type", "code", "redirect_uri", "client_id", "state" ], "properties": { "grant_type": { "type": "string", "description": "The OAuth2 grant type", "const": "authorization_code" }, "code": { "type": "string", "description": "An authorization code received through user authorization flow", "example": "50BTIf2h7Wtg3DAk7ytpG5ML_PsNjfQA4M7iupH_3jw" }, "redirect_uri": { "type": "string", "description": "The url redirected to after the authorization flow was completed by current user.", "example": "https://example.com/callback" }, "state": { "type": "string", "description": "A value used by the client to maintain state between the request and callback. This is used to prevent CSRF attacks. See https://www.rfc-editor.org/rfc/rfc6749#section-10.12 for more detail.", "example": "xyzABC123" }, "code_verifier": { "type": "string", "description": "A PKCE verifier matching the challenge submitted during the authorization code request.", "example": "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk" }, "client_id": { "description": "The client id of the application requesting the token.", "type": "string", "example": "your_client_id" }, "client_secret": { "type": "string", "description": "The client secret of the application requesting the token, if available.", "example": "your_client_secret" } } } } } } ``` The resulting access token can be used to make requests to the DailyPay REST API: > The authorization code, access token, and refresh tokens can vary in size but will typically remain under 4096 bytes.