Hikka Docs Hikka Docs

OAuth

How to use hikka OAuth

Getting started

Hikka uses OAuth2 for authentication via Authorization Code Grant flow.

These rules apply to Hikka’s OAuth2 implementation

  • Hikka supports scopes. Any request without the required scope will be denied
  • Access tokens have a lifetime of 30 minutes
  • There are no refresh tokens. After an authenticated request (except Get token info), the access token is extended by another 30 minutes
  • If token expires, you need to make another OAuth request to obtain a new token

When do you need authentication?

  • Modification of any resource
  • Get private data (only for the currently authenticated user)
  • Get user-specific data

Implementation

Create an application

To create an application, navigate to the hikka application settings and click + button.

Creating an application requires next information:

  • Name of your application
  • Description
  • Redirect URL

Once you've created your application, you will be given a reference (client id) and client secret.

Redirecting for authorization

You need to redirect the user to the authorization URL https://hikka.io/oauth with the following required query parameters:

  • reference - your reference (client id)
  • scope - a comma-separated list of requested scopes (can be found here)

Here is example of forwarding:

<a href="https://hikka.io/oauth?reference=CLIENT_REFERENCE&scope=SCOPE">Continue with Hikka</a>

User approval

Once the user has been redirected, they will be shown a page asking them to approve your application. If the user is not logged in, they will be prompted to log in first.

Once the user has approved your application, they will be redirected back to the URL you specified in first step. Their redirect will contain a reference query parameter representing the authorization code.

Token exchange

Once you have an authorization code, you can exchange it for an access token. To do this, you will need to make a Make token for a third-party client request.

Here is examples:

const body = JSON.stringify({
  "request_reference": "<your authorization code>",
  "client_secret": "<your client secret>"
})

fetch("https://api.hikka.io/auth/token", {
  method: "POST",
  headers: {
    "Content-Type": "application/json"
  },
  body
})

As a result, you will receive a response containing the user token:

{
  "expiration": 1686088809,
  "created": 1686088809,
  "secret": "CQE-CTXVFCYoUpxz_6VKrHhzHaUZv68XvxV-3AvQbnA"
}

With this token you can perform authenticated requests.

Learn how authentication works in our Authentication guide, and how to test your OAuth integration locally in the Local testing guide.

Hikka setup

How to setup hikka and hikka-next locally

Local testing

How to test OAuth integration locally

On this page

Getting startedWhen do you need authentication?ImplementationCreate an applicationRedirecting for authorizationUser approvalToken exchange