Authorization code
The Authorization Code grant type generates and submits an authorization code to get an access token.
To get an authorization code and request an access token, use the following steps:
1. Get an authorization code
During the log in process, the Authorization Code grant type redirects your user to a Trustpilot owned website where they are authenticated and return with a parameter containing an authorization code. You must use the returned authorization code to request an access token (step 2).
Method: GET
https://authenticate.trustpilot.com
Parameters
| Name | Type | Description |
|---|---|---|
| client_id | Required string | The API key |
| redirect_uri | Required string | The client’s site URL. When you get the API key from your account manager, you need to specify the redirect_uri. The redirect_uri must be https. |
| response_type | Required string | Value must be set to code |
Example
https://authenticate.trustpilot.com?client_id=APIKey&redirect_uri=https://www.clientsSite.com&response_type=codeRedirects back to: https://www.clientsSite.com/?code=Code
2. Request an access token
Use the authorization code that you got in the previous step to request an access token.
Method: POST
https://api.trustpilot.com/v1/oauth/oauth-business-users-for-applications/accesstoken
Headers
Authorization: Basic [BASE64_ENCODED(API_KEY:API_SECRET)]
Content-Type: application/x-www-form-urlencoded
There are two ways to pass your API Key and secret:
- Pass your key in the the Authorization header, using HTTP Basic authentication. This is the recommended approach.
- Pass your key in the payload using the
client_idandclient_secretparameters.
Payload
| Name | Type | Description |
|---|---|---|
| grant_type | Required string | Value must be set to authorization_code |
| code | Required string | The provided code after the redirection |
| redirect_uri | Required string | The client’s site URL. The URL in your app where it was redirected to after authorization. It has to be identical to the redirect_uri parameter provided in the first step of authorization. The redirect_uri must be https. |
| client_id | Optional string | The API key |
| client_secret | Optional string | The API secret |
Example
https://api.trustpilot.com/v1/oauth/oauth-business-users-for-applications/accesstokengrant_type=authorization_code&code=Code&redirect_uri=https://www.clientsSite.comResponse
The response contains the access token, refresh token and time of expiration:
{ access_token: "AccessToken", refresh_token: "RefreshToken", expires_in: "359999"}When your access token expires, your user needs to log in to get a new authorization code.