Authorization Code Flow

Redirects the user to Taboola for authentication.
Returns an Authorization Code that is used to obtain an Access Token and Refresh Token.

Within Taboola, this flow is reserved for special use cases only.

For more information, reach out via our online Community.

This flow is similar to the Implicit Flow (above), but involves an additional step:

  1. User clicks on Connect within your App.
  2. Your App redirects the user to a Taboola login page:
    • [authentication_domain]/authentication/oauth/authorize/?client_id=[client_id]&redirect_uri=[redirect_uri]&response_type=code
    • Note: authentication_domain = https://authentication.taboola.com

🚧

You must register the redirect_uri with Taboola. Otherwise, the redirect will fail. For more information, reach out via our online Community.

  1. User logs in and authorizes your App.
  2. Taboola redirects the user back to your App, using the redirect_uri that you provided. A code query param is appended to the URL, containing the authorization code:
    • [redirect_uri]?code=[authorization_code]

📘

The authorization code has a 10-minute expiration period.

  1. Your App uses the authorization code to obtain an Access Token and Refresh Token from the token endpoint (not visible to the user):
POST /backstage/oauth/token
Host: https://backstage.taboola.com
Content-Type: application/x-www-form-urlencoded
?client_id=[client_id] &
client_secret=[client_secret] &
code=[authorization_code] &
redirect_uri=[redirect_uri] &
grant_type=authorization_code
<?php

$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://backstage.taboola.com/backstage/oauth/token",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 0,
  CURLOPT_FOLLOWLOCATION => true,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "code=ABCDEF123456&redirect_uri=https%3A//example.com/callback&client_id=abc123&grant_type=authorization_code&client_secret=123456",
  CURLOPT_HTTPHEADER => array(
    "Content-Type: application/x-www-form-urlencoded"
  ),
));

$response = curl_exec($curl);

curl_close($curl);
echo $response;

🚧

Use a POST verb with a Content-Type of application/x-www-form-urlencoded.

The response will look similar to the response of a Password Credentials request (above):

{
   "access_token": "ab4Tk<saw\feaXcp53wF2ksasq12",
   "refresh_token": "dkjsERT\fck37dSFD<skjw@sddso",
   "token_type": "bearer",
   "expires_in": 3600
}

📘

A Refresh Token is returned.

📘

Because it is more secure, this flow is preferred over Flow 3.