We use standard OAuth. The typical flow goes like this:
- Perform a GET request to /oauth/authorize with url parameters client_id, redirect_uri, scope (a space separated list of requested scopes) and response_type=code.
- Once the user grants your app permission to access their data, the browser will redirect to redirect_uri with a url parameter code
- With this code, your application will have 10 minutes to perform a POST request to /oauth/token with parameters client_id, client_secret, code, redirect_uri and grant_type=authorization_code