Password Exchange

If you’re building a mobile (iPhone, Android, etc.) app, it can be easier to exchange a user’s password and email/username for an access token than to send your user through the traditional OAuth flow.

Step 1: Register your Application

Sign in as a registered user then visit the new client application page. Enter in the name of your application. For this example, we can use foo; you can change this later if you desire. Hit enter and you should see a screen that has your application name along with a client id and a secret. These behave like a username and password for your OAuth application.

Name:           foo
client id:      3234myClientId5678
client Secret:  14321myClientSecret8765

Once you’ve registered an app successfully, we can start to build an OAuth application. Don’t continue until you’ve registered a client app.

Note: Replace the client id and secret with your actual client id and secret.

Once you have your id and secret, you can ask the user of your application to provide you with their username and password. For the purposes of this example we will be using the email address and password p4ssw0rd.

Note: Replace the email and password with a real user’s credentials.

Once you have the email/username and password of a user, you can exchange this information for a token by sending the server your client_id & client_secret along with the username and password. Don’t forget to url encode any special characters like @, and always transmit this sensitive data using a secure protocol (such as https):

The response should be JSON with an access_token:


You can now use the access_token in the parameters or the header of future requests. See the end of the Quick Start Guide for examples.

Additional Exchange

In addition to username/password, the owner of this web service may choose to implement other custom exchanges such as Facebook or Twitter token exchange for an access token. You must contact the owner of this web service to see if they support other data when exchanging tokens.

When you do this make sure to pass grant_type=password or grant_type=bearer in the request to in addition to any required parameters.

← back