The API uses OAuth2 for authorization. To access protected parts of the API you need to obtain an access token. Therefore you can use the following endpoints:

Authorization-Endpoint: /developer/auth
Token-Endpoint: /authorization/token

App Registration

Available for registered user at url /developer/account/app

Authorization Code Grant

For obtaining the authorization code you have to redirect the resource owner's browser to the consumer endpoint: /developer/auth?response_type=code&client_id=[app_key]&redirect_uri=[redirect_uri]&scope=[scopes]

app_key - application key
redirect_uri - should be on the same host as application url
scopes - comma separated list of scopes which should be subset of application scopes

If the authorization was successful the user gets redirected to the redirect_uri of your app. The redirect_uri contains a GET parameter code which can be exchanged for an access token at the Token-Endpoint.

Authorization Token Grant from Authorization Code

POST /authorization/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=[code]&client_id=[app_key]&redirect_uri=[redirect_uri]&client_secret=[app_secret]

code - authorization code obtained at previous step
redirect_uri - redirect uri used at previous step

Authorization Token Grant from Refresh Token

POST /authorization/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=[token]&client_id=[app_key]&client_secret=[app_secret]

token - refresh token obtained at previous step along with authorization token