Skip to main content

PIN-based authorization

The PIN-based OAuth flow is a version of the 3-legged OAuth process and is intended for applications that cannot access or embed a web browser to redirect the user after authorization. Examples of such applications would be command-line applications, embedded systems, game consoles, and certain types of mobile apps. PIN-based OAuth flow is initiated by an app in the request_token with the oauth_callback set to oob. The term oob means out-of-band OAuth.  The user still visits X to login or authorize the app, but they will not be automatically redirected to the application upon approving access. Instead, they will see a numerical PIN code, with instructions to return to the application and enter this value.
Note: The callback_url within the X app settings is still required, even when using PIN-based auth.
 

Implementing the PIN-based OAuth flow

The PIN-based flow is implemented in the same way as 3-legged authorization (and Sign in with X), with the following differences:
  1. The value for oauth_callback must be set to oob during the POST oauth/request_token call.
  2. After the user is sent to X to authorize your app using either a GET oauth/authenticate or GET oauth/authorize URL, they will not be redirected to your callback_url, instead they will see a screen with a X generated ~7 digit PIN with directions to enter the PIN into your applications name.
  3. The user enters this PIN into your application, and your application uses the PIN number as the oauth_verifier in the POST oauth/access_token to obtain an access_token.
Note: PIN numbers are not reusable, and the access_token obtained should be used for application-user requests.