# Auth Flow Example ## Authenticating The process begins with a user attempting to access a feature that requires authentication. This could be from their recipe collection, meal plans, or when they visit a site that has integrated the Whisk APIs. ![](https://3538958872-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3N5JYDecgJb_Y6vL4-%2F-MI-PCU80-O9Dwlw4qpd%2F-MI-U5hqWwxpnOnKyAJR%2FWhisk%20bot%20auth%20flows%20-docs%20-%20register%20new%20user%20to%20whisk%20bot%20\(1\).jpg?alt=media\&token=708589c1-254f-42b0-89db-eb98012133c7) The above example walks through the authentication process of connecting Whisk to a Slack Bot. The user is passed off to the Whisk registration page to create a new account or log in with existing credentials. The following API request will redirect the user and define where to redirect the user after being authenticated. ```javascript `https://login.whisk.com/oauth/v2/authorize?` + `scope=${REQUESTED_SCOPES}` + `&client_id=${process.env.WHISK_CLIENT_ID}` + `&response_type=code` + `&redirect_uri=${REDIRECT_URI}` + `&state=${state}` ``` ## Verification Once the user has registered or logged in, Whisk will redirect them back to where they came from based on supplied the`redirect_uri`. ![](https://3538958872-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3N5JYDecgJb_Y6vL4-%2F-MI-PCU80-O9Dwlw4qpd%2F-MI-YSi00P3WXo3ZXGvH%2FWhisk%20bot%20auth%20flows%20-docs%20-%20register%20redirect%20\(3\).jpg?alt=media\&token=edd6e025-dae0-4632-9b86-4516434b19b0) After the authentication redirection, you will need to handle the verification state and get the Whisk user token. ```javascript `https://login.whisk.com/oauth/v2/token` + `?client_id=${WHISK_CLIENT_ID}` + `&grant_type=authorization_code` + `&code=${req.query.code}` + `&client_secret=${WHISK_SECRET}`; ``` Once you have the user's token, you'll want to save it in your app. You can learn more about accessing this token in the [user access token section](https://docs.whisk.com/api-overview/auth/user-access-token/..#step-3-get-an-access-token) of the docs. ## Refreshing Now, when a user needs to access an API that requires authorization, you can use the saved token or retrieved a new one when that one expires. This is what that flow would potentially look like: ![](https://3538958872-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3N5JYDecgJb_Y6vL4-%2F-MI-PCU80-O9Dwlw4qpd%2F-MI-RXc1f_mSGVhfH6Xw%2FWhisk%20bot%20auth%20flows%20-docs%20-%20Refresh%20token.jpg?alt=media\&token=db4408d3-6aa1-416a-a7fd-bfde05d2871b) In this example, you would call the following code to refresh the Whisk auth token. ```javascript `https://login.whisk.com/oauth/v2/token` + `?client_id=${WHISK_CLIENT_ID}` + `&grant_type=refresh_token` + `&refresh_token=${user.refresh}` + `&client_secret=${WHISK_SECRET}` ``` Now you can retrieve the new token from Whisk and update it where you stored it previously in your app. This is done by calling the [Refresh Token API](https://docs.whisk.com/api-overview/auth/user-access-token/..#refreshing-tokens).