Auth Flow Example

In this example, we'll take a look at the flow of a Whisk authentication request.

Authenticating

The process begins with a user attempting to access a feature that requires authentications. This could be from their recipe collection, meal plans, or when they visit a site that has integrated the Whisk APIs.

The above example walks through the authentication process of connecting Whisk to a Slack Bot. The user is passed off to the Whisk registration page to create a new account or log in with existing credentials. The following API request will redirect the user and define where to redirect the user after being authenticated.

`https://login.whisk.com/oauth/v2/authorize?` +
`scope=${REQUESTED_SCOPES}` +
`&client_id=${process.env.WHISK_CLIENT_ID}` +
`&response_type=code` +
`&redirect_uri=${REDIRECT_URI}` +
`&state=${state}`

Verification

Once the user has registered or logged in, Whisk will redirect them back to where they came from based on supplied theredirect_uri.

After the authentication redirection, you will need to handle the verification state and get the Whisk user token.

`https://login.whisk.com/oauth/v2/token` +
`?client_id=${WHISK_CLIENT_ID}` +
`&grant_type=authorization_code` +
`&code=${req.query.code}` +
`&client_secret=${WHISK_SECRET}`;

Once you have the user's token, you'll want to save it in your app. You can learn more about accessing this token in the user access token section of the docs.

Refreshing

Now, when a user needs to access an API that requires authorization, you can use the saved token or retrieved a new one when that one expires. This is what that flow would potentially look like:

In this example, you would call the following code to refresh the Whisk auth token.

`https://login.whisk.com/oauth/v2/token` +
`?client_id=${WHISK_CLIENT_ID}` +
`&grant_type=refresh_token` +
`&refresh_token=${user.refresh}` +
`&client_secret=${WHISK_SECRET}`

Now you can retrieve the new token from Whisk and update it where you stored it previously in your app. This is done by calling the Refresh Token API.