There are 4 ways to get an Access Token for the Backstage API. Choose the flow that best fits your needs.
- Client submits
client_idandclient_secretto thetokenendpoint. - Server returns an Access Token.
Used for confidential, server-to-server communication.
This flow is recommended.
- Client submits
client_id,client_secret,usernameandpasswordto thetokenendpoint. - Server returns an Access Token and Refresh Token.
Used for confidential communication from client apps (e.g. web apps and mobile apps).
Because the user needs to submit his credentials, this flow is generally not recommended.
- App redirects user to Taboola log-in page (to log in and grant the App access to their Taboola Backstage account).
- Taboola redirects the user back to the App, using the
redirect_uriprovided. An Access Token is passed as a URL fragment.
Used for non-confidential communication from client apps (e.g. web apps and mobile apps), when the Authorization Code flow (below) is not an option.
Because this flow is less secure than Flow 4, it is generally not recommended.
Similar to Flow 3 (above), but more secure. Client first receives an Authorization Code - and uses that to get an Access Token (Step 3 below).
- App redirects user to Taboola log-in page (to log in and grant the App access to their Taboola Backstage account).
- Taboola redirects the user back to the App, using the
redirect_uriprovided. An Authorization Code is passed in the query string. - App uses the Authorization Code to get an Access Token and Refresh Token from the
tokenendpoint.
Suitable for non-confidential communication from client apps (e.g. web apps and mobile apps).
Best Practice
For improved security, consider using the PKCE extension with this flow.
Use Cases
Within Taboola, Flows 3 and 4 are reserved for special use cases only.
For more information, reach out via our online Community.
The topics that follow provide more detail for each of the above flows.