Authorizing OAuth Apps

You can enable organization members to authorize your OAuth app.

When you build an OAuth app, implement the web application flow described below to obtain an authorization code and then exchange it for a token.

Request Authorization Code

You should redirect the user to the /oauth/authorize endpoint with the following GET parameters:

https://accounts.crowdin.com/oauth/authorize

This will ask the user to approve the app access to their account based on the scopes specified in REQUESTED_SCOPES and then redirect back to the REDIRECT_URI you provided when creating an app.

Parameters

Name	Value	Description
client_id	string	Required. You receive Client ID for the app when you register it.
redirect_uri	string	Required. The URL in your application where users will be sent after authorization.
response_type:code	string	Required. The parameter is used for the flow specification of an OAuth app.
scope	string	Required. Select the access your app requires from the list of scopes available. You can add multiple scopes separated by spaces (no need to use quotation marks).
state	string	An unguessable random string. Use it for extra protection against cross-site request forgery attacks.

The following Authorization Url will be created:

https://accounts.crowdin.com/oauth/authorize?client_id=m50YenPpqac8u5D4dnK&redirect_uri=https://impact-mobile.com/auth/crowdin&response_type=code&scope=project+tm&state=d131dd02c5e6eec4

After successful authorization users are redirected back to your site:

https://impact-mobile.com/auth/crowdin/?code=def50200df1fbb5ebac05f9288850d9e...0835bd3cf42&state=d131dd02c5e6eec4

If authorization has been declined, users are redirected to your website with an error:

https://impact-mobile.com/auth/crowdin/?error=access_denied&state=d131dd02c5e6eec4

Users Are Redirected Back to Your Site by Crowdin

If a user authorizes the app, Crowdin redirects back to your site and you can exchange the code received for an access token:

POST https://accounts.crowdin.com/oauth/token

Parameters

Name	Value	Description
grant_type: authorization_code	string	Required. The parameter is used for the flow specification of an OAuth app.
client_id	string	Required. You receive Client ID for the app when you register it.
client_secret	string	Required. You receive Client Secret for the app when you register it.
redirect_uri	string	Required. The URL in your application where users will be sent after authorization.
code	string	Required. Code received from the callback query string.

For example, request in curl takes the following form:

curl -X POST \
  https://accounts.crowdin.com/oauth/token \
  -H "content-type: application/json" \
  -d "{
      \"grant_type\":\"authorization_code\",
      \"client_id\":\"m50YenPpqac8u5D4dnK\",
      \"client_secret\":\"yz35kYtjox...YE9Am\",
      \"redirect_uri\":\"https://impact-mobile.com/auth/crowdin\",
      \"code\":\"def50200df1fbb5ebac05f9288850d9e...0835bd3cf42\"
  }"

Response

By default, the response takes the following form:

{
  "access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJS...lag1e_Zk4EdJ5diYfz0",
  "token_type":"bearer",
  "expires_in": 7200,
  "refresh_token": "b213c684ccaa7db1217e946e6ad...fff7ae"
}

Make Requests to the API with the Access Token Returned

The access token now allows you to make requests to Crowdin API on behalf of the authorized user.

For example, in curl you can set the following Authorization header:

curl -H "Authorization: Bearer ACCESS_TOKEN" https://api.crowdin.com/api/v2/projects

Crowdin Enterprise:

curl -H "Authorization: Bearer ACCESS_TOKEN" https://<organization_domain>.api.crowdin.com/api/v2/projects

Note

To obtain the Crowdin Enterprise organization_domain, parse the access token structured according to JWT specifications, and extract the required organization_domain from it.

Read more about JWT Token Structure.

Refresh Token

The access token received after a user authorizes the app has an expiration time. Access token expires in the number of seconds defined in the response.

To refresh a token without requiring the user to be redirected, send a POST request with the following body parameters to the authorization server:

POST https://accounts.crowdin.com/oauth/token

Parameters

Name	Value	Description
grant_type: refresh_token	string	Required. The parameter is used for the flow specification of an OAuth app.
client_id	string	Required. You receive Client ID for the app when you register it.
client_secret	string	Required. You receive Client Secret for the app when you register it.
refresh_token	string	Required. Refresh token received from the last authorization response.

For example, request in curl takes the following form:

curl -X POST \
  https://accounts.crowdin.com/oauth/token \
  -H "content-type: application/json" \
  -d "{
      \"grant_type\":\"refresh_token\",
      \"client_id\":\"m50YenPpqac8u5D4dnK\",
      \"client_secret\":\"yz35kYtjox...YE9Am\",
      \"refresh_token\":\"b213c684ccaa7db1217e946e6ad...fff7ae\"
  }"

Response

By default, the response takes the following form:

{
  "access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJS...ZjFkMWI4OWFlIiwiaWF",
  "token_type":"bearer",
  "expires_in": 7200,
  "refresh_token": "ea506ea4c37aa152f0a91ed2482...4a0c567"
}

Redirect URLs

You can register one or more redirect URLs when you create an OAuth Application on Crowdin.

For security reasons, if the URL is not included in the Application info you won’t be able to redirect users to this URL after authorization.