Obtain a temporary special use login url via the /oauth2/requestCode resource

Direct the end user to the temporary login_uri location that is returned from the /oauth2/requestCode endpoint via a pop-up window (or iFrame, but we recommend a pop-up window).

Once the end user has authorized your application to access their account, the end user will be redirected to your callback_uri that you specified in Step #1. A query (GET) parameter will be added to the end of your callback_uri containing one or more authorization_codes. Each authorization_code corresponds to a unique affiliation they have within the system. If multiple authorization_codes are issued, the authorization_codes query parameter will be comma separated.

Securely store and save the authorization_codes. These codes are valid for 1 year and will be required to continue to access the user's account without needing to login again until the codes have expired (1 year).

When you're ready to make an API call on behalf of the user, use the /oauth2/requestToken resource to exchange the authorization_code for an access_token. Access tokens are valid for 30 minutes. When an access token has expires, you will need to obtain a new access_token using the same authorization_code from Step #3 using the /oauth2/requestToken resource.

Securely and temporarily store the access_token and complete your desired API calls using the new token.

After your authorization_code has expired (1 year), you'll need to start over again from Step #1 to continue acting on behalf of the user.