Over a million developers have joined DZone.

Allowing Users to Get Their Own OAuth Tokens for Accessing an API

DZone 's Guide to

Allowing Users to Get Their Own OAuth Tokens for Accessing an API

Let's take a look at an opinion about allowing users to get their own OAuth tokens for accessing an API.

· Integration Zone ·
Free Resource

I run a lot of different applications that depend on GitHub and that use GitHub authentication as the identity and access management layer for these apps. One of the things I like the most about GitHub and how I feel it handles it’s OAuth more thoroughly than most other platforms is how they let you get your own OAuth token under your settings > developer settings > personal access tokens. You don’t need to set up an application and do the whole OAuth dance, you just get a token that you can use to pass along with each API call.

I operate my own OAuth server, which allows me to authenticate using OAuth with many leading APIs, so generating an OAuth token and setting up a new provider isn’t too hard. However, it is always much easier to go under my account settings, create a new personal access token for a specific purpose, and get to work playing with an API. I wish that ALL API providers did this. At first glance, it looks like GitLab, Harvest, TypeForm, and ContentFul all provide personal access tokens as a first option for on-boarding with their APIs. Demonstrating this is more of a pattern than just a GitHub feature.

One of these days I’m going to have to do another story documenting the entire GitHub OAuth system because they have a lot of interesting bells and whistles that make using their platform much more secure and just a more frictionless experience than other API providers I use on a regular basis. GitHub has ground down a lot of the sharp corners on the whole authentication experience when it comes to OAuth. It would make a nice blueprint to share, and work to convince other API providers it is a pattern worth following. Reducing the cognitive load around OAuth management for any API integration, and standardizing how API providers support their API consumers and end-users.

I have 3 separate Twitter Apps setup for specific purposes, but I wanted to have a separate personal application just for managing my person @kinlane account. I submitted a Twitter application for review, but haven’t heard back after almost a month. As an individual user of any platform, I should be able to instantly issue a personal access token that lets me, or someone I sanction, access my data and content on the platform. Personal access tokens should be a default feature for any consumer focused platform, putting API access more within the control of each end-user, and the platform power users.

integration ,apis ,oauth ,api access ,oauth tokens

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}