Skip to content

Integration guide

Before you begin

Check out the demo registration site using the login and registration flows documented below. You can see the demo here and view the source code here.

In the following sections you will need to know your XPKit base domain and Account ID.

See connecting to your instance of XPKit to determine your base domain.

If you are unsure what your Account ID is you can find this out by:

  • Logging into XPKit Portal
  • Clicking on your avatar
  • Your Account ID will be listed on this page

Wherever you see the {% base_domain %} and {% acccount_id %} tags substitute them with these values.

Notes on generating required OAuth parameters

In the following sections you will see the following parameters referenced in URLs.

  • client_id - you can find this value in XPKit Portal if you followed the instructions to create an OAuth application
  • state, code_challenge, code_verifier and code_challenge_method - see this guide for instructions on how to generate these values. The two challenge methods accepted by XPKit are plain and S256 (SHA256)
  • redirect_uri - you should provide a URI where the Auth API should redirect the user after a sign in attempt. Either a code and state or error and error_description will be returned to this address as GET parameters

Login flow

To send a user into the login flow, add a Sign in with... button to your site with a URL pointing to:

https://auth.{% base_domain %}/authorize/
?response_type=code&provider=XXX
&client_id=XXX&state=XXX&code_challenge=XXX
&code_challenge_method=XXX&redirect_uri=XXX

See the list of available providers below to determine the value you should use for the provider param.

Available authentication providers

Provider name URL param Example button Button downloads
Apple apple Sign in with Apple Link
Facebook facebook Continue with Facebook Link
Google google Sign in with Google Link
LinkedIn linkedin_oauth2 Sign in with LinkedIn Link
Microsoft microsoft Sign in with Microsoft Link
XPKit xpkit Register with XPKit Link

Register flow

If you are using XPKit as an authentication provider, a registration flow is provided. To send a user into this flow, add a Register with XPKit button to your site like so...

Register with XPKit

...with a URL pointing to:

https://auth.{% base_domain %}/registration/{% account_id %}/?redirect_uri=XXX

Note: if your account has been set to invite only, a code (?invite_code=XXX) is required on the button URL. Invites are usually sent out by account admins via XPKit Portal. Invite emails are sent to the invitees with URLs containing the required codes.

Redirect URIs

If the redirect_uri is missing in the sign in request, and there is only one specified in the OAuth app's redirect_uris field, that value will be used. If there is more than one specified, the first one will be used.

Handling errors

In the case of an error during the login flow the user will be redirected to the redirect_uri with error and error_description parameters. Here is a list of the errors you could expect to receive:

Error Error description More details
invalid_request Mismatching redirect URI The redirect_uri is not in the redirect_uris field.
invalid_request Invalid redirect URI The redirect_uri is not in the redirect_uris field and is an invalid URI.
invalid_request The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
unauthorized_client The client is not authorized to request an authorization code using this method.
access_denied The resource owner or authorization server denied the request.
server_error The authorization server encountered an unexpected condition that prevented it from fulfilling the request.
temporarily_unavailable The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server. Returned when the your XPKit license has expired.

Exchanging an authorization code for an access token

If an authorization code was successfully generated two parameters will be returned on the redirect URI:

  • code - the authorization code
  • state - the value received from the client returned back. The parameter should be used for preventing cross-site request forgery.

Once your app receives the code parameter on the redirect URI, it should attempt to exchange this code for an access token. The endpoint the POST request should be made to is:

https://auth.{% base_domain %}/api/token/

Example request (Python)

import requests

# Example using the EMEA region
token_exchange_endpoint = 'https://auth.emea.xpkit.net/api/token/'
data = {
    'grant_type': 'authorization_code',
    'code': 'available as the code param on the redirect URI',
    'client_id': 'available from XPKit Portal',
    'redirect_uri': 'same value as provided on sign in button',
    'code_verifier': 'see notes section above for guide'}

    # When you created the OAuth 2 app in XPKit Portal if you selected
    # "Confidential" as the client type the client secret is required...
    data['client_secret'] = 'available from XPKit Portal'

req = requests.post(token_exchange_endpoint, data=data)
content = req.json()

access_token = content['access_token']
scopes = content['scope']
expires = content['expires_in']

Errors exchanging a code for a token

If there was a problem exchanging an authorization code for an access token, here is a list of the errors you could expect to receive:

Error Error description More details
invalid_request Mismatching redirect URI The redirect_uri is not in the redirect_uris field.
invalid_request Invalid redirect URI The redirect_uri is not in the redirect_uris field and is an invalid URI.
invalid_client The client_id or client_secret is not valid.
invalid_grant The code_verifier or code is not valid.
unsupported_grant_type The grant_type is not valid