This article lays out the steps to take in order to set up an OAuth authorization flow with Ellipsis Drive.

You can use OAuth to create a so called "refresh token" that your backend can store and use to create an access token for a user in question. This access token can then be used to make API calls to Ellipsis Drive as this user.

Ellipsis Drive supports the authorization code "grant type" with optional PKCE for additional security. This security measure is particularly important for apps that cannot maintain the confidentiality of the client secret such as single-page apps, mobile apps and native apps.

To setup OAuth perform the following steps:

Step 1. Go to your account settings, pick developer settings in the side menu and register an OAuth client. All you need to provide is a callback url (more on that later). After registration make sure to store both your client id and client secret.

Step 2. Create an authorization button in your app that calls the authorization API call. This call will redirect the user to Ellipsis Drive to authorise your app.

Step 3. Once the user has granted permission in the Ellipsis Drive app, your callback url (provided in step 1) will be used to redirect the client back. An authorization code will be provided to this callback url as a parameter. This step is fully taken care of by Ellipsis Drive.

Step 4. The callback, that you should implement in your own API, now needs to exchange the authorization code for an access token and refresh token using the authorization code variant API call. Make sure to store the refresh token in your backend, as this token can be used to create another access token for the user at a later time. Once this is all done you should redirect the user to your own app and include the access token in the url.

Step 5. Your app can now use the access token to make requests to Ellipsis Drive.

When the user revisits your app you can use the refresh API call to create a new access token (it is therefore only needed for the user to grant access once).