Access Token - 4 Flows

There are 4 ways to get an Access Token for the Backstage API. Choose the flow that best fits your needs.

  1. Client submits client_id and client_secret to the token endpoint.
  2. Server returns an Access Token.

Used for confidential, server-to-server communication.

📘

This flow is recommended.

  1. Client submits client_id,client_secret, usernameand password to the token endpoint.
  2. Server returns an Access Token and Refresh Token.

Used for confidential communication from client apps (e.g. web apps and mobile apps).

📘

Because the user needs to submit his credentials, this flow is generally not recommended.

  1. App redirects user to Taboola log-in page (to log in and grant the App access to their Taboola Backstage account).
  2. Taboola redirects the user back to the App, using the redirect_uri provided. An Access Token is passed as a URL fragment.

Used for non-confidential communication from client apps (e.g. web apps and mobile apps), when the Authorization Code flow (below) is not an option.

📘

Because this flow is less secure than Flow 4, it is generally not recommended.

Similar to Flow 3 (above), but more secure. Client first receives an Authorization Code - and uses that to get an Access Token (Step 3 below).

  1. App redirects user to Taboola log-in page (to log in and grant the App access to their Taboola Backstage account).
  2. Taboola redirects the user back to the App, using the redirect_uri provided. An Authorization Code is passed in the query string.
  3. App uses the Authorization Code to get an Access Token and Refresh Token from the token endpoint.

Suitable for non-confidential communication from client apps (e.g. web apps and mobile apps).

📘

Within Taboola, Flows 3 and 4 are reserved for special use cases only.

For more information, reach out via our online Community.

The topics that follow provide more detail for each of the above flows.