API ReferenceAnnouncementsCommunity Discussion
API ReferenceCommunity DiscussionAnnouncementsSubscribeLog In
API Reference

Authorization Code Flow

This flow requires special authorization from Taboola.

For more information, reach out via our online Community.

📘

Quick summary

  1. Redirects the user to Taboola for authentication.
  2. Returns an Authorization Code that is used to obtain an Access Token and Refresh Token.

This flow is similar to the Implicit Flow, but involves an additional step. Because it is more secure, this flow is preferred over the Implicit Flow.

Flow

  1. User clicks on Connect within your App.
  2. Your App redirects the user to a Taboola login page:
    • [authentication_domain]/authentication/oauth/authorize/?client_id=[client_id]&redirect_uri=[redirect_uri]&response_type=code
    • Note: authentication_domain = https://authentication.taboola.com
  3. User logs in and authorizes your App.
  4. Taboola redirects the user back to your App, using the redirect_uri that you provided. A code query param is appended to the URL, containing the authorization code:
    • [redirect_uri]?code=[authorization_code]

🚧

You must register the redirect_uri with Taboola. Otherwise, the redirect will fail.

📘

The authorization code has a 10-minute expiration period.

  1. Your App uses the authorization code to obtain an Access Token and Refresh Token from the token endpoint (not visible to the user):
POST /backstage/oauth/token
Host: https://backstage.taboola.com
Content-Type: application/x-www-form-urlencoded
?client_id=[client_id] &
client_secret=[client_secret] &
code=[authorization_code] &
redirect_uri=[redirect_uri] &
grant_type=authorization_code
<?php

$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://backstage.taboola.com/backstage/oauth/token",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 0,
  CURLOPT_FOLLOWLOCATION => true,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "code=ABCDEF123456&redirect_uri=https%3A//example.com/callback&client_id=abc123&grant_type=authorization_code&client_secret=123456",
  CURLOPT_HTTPHEADER => array(
    "Content-Type: application/x-www-form-urlencoded"
  ),
));

$response = curl_exec($curl);

curl_close($curl);
echo $response;

🚧

Use a POST verb with a Content-Type of application/x-www-form-urlencoded.

The response will look similar to the response of a Password Credentials requesti:

{
   "access_token": "ab4Tk<saw\feaXcp53wF2ksasq12",
   "refresh_token": "dkjsERT\fck37dSFD<skjw@sddso",
   "token_type": "bearer",
   "expires_in": 3600
}

📘

A Refresh Token is returned.