API Authorisation Service

The API Authorization Service is an implementation of the OAuth authorization framework and is used to obtain access tokens required to access certain API endpoints.

Resource URL

GET https://api.ft.com/authorize

Parameters

Request Param	Mandatory	Value
response_type	Yes	Must be set to “token”, as per the OAuth spec
client_id	Yes	Client id obtained via the client registration process as outlined here.
redirect_uri	No	As registered during the client registration process. This is the URL to which the authorization service will send a HTTP 302 response with the access token or error response added as a URL fragment.
scope	No	A comma separated list of scopes. List of valid scopes is available here. Example: scope=user_products, profile_dem
state	No	An opaque value used by the client to maintain state between the request and the callback. For more information, please refer to the OAuth spec.

Request Headers

Header	Value
Cookie	FTSession_s={FTSession_s}, where {FTSession_s} is the value of the FTSession_s cookie, each authenticated ft.com user gets upon successfully logging onto an ft.com application.
X-Api-Key	Api key that is optionally generated during user registration. This will serve as a means of authenticating API client and authrosizing their requests in the absence of an FTSessions_s cookie. Note that only select clients will have this key. This key takes precedence over an FTSessions_s cookie
uid	Used in conjunction with the x-api-key, to specify for which user you wish to retrieve an access token

Header

Value

FTSession_s={FTSession_s},

where {FTSession_s} is the value of the FTSession_s cookie, each authenticated ft.com user gets upon successfully logging onto an ft.com application.

X-Api-Key

Api key that is optionally generated during user registration. This will serve as a means of authenticating API client and authrosizing their requests in the absence of an FTSessions_s cookie. Note that only select clients will have this key. This key takes precedence over an FTSessions_s cookie

uid

Used in conjunction with the x-api-key, to specify for which user you wish to retrieve an access token

Request Body

Not supported.

Response

Success Response

HTTP 302, with access token appended as a URL fragment to the Location response header, as per the OAuth 2.0 spec. The following parameters are appended to the URL fragment:

Path Param	Mandatory	Value
access_token	Yes	Value of the access_token that may be used to make authorized requests to API endpoints that need authorization
token_type	Yes	Bearer
expires_in	Yes	Number of seconds the token will expire in
scope	No	The scope the access_token grants access to. This parameter is only returned if the authorization service returns a scope different to that requested. This can happen if the FTSession_s cookie used, does not meet the freshness requirement to access a particular scope.
state	No	The value included in the request

Failure Response

HTTP 302, with error message appended as a URL fragment to the Location response header or HTTP 400 if the client_id path parameter of the request is invalid.

HTTP 302 - Missing FTSession_s cookie

Path Param	Value
error	invalid_request
error_description	Missing FTSession_s cookie in authorization request

HTTP 302 - Invalid FTSession_s cookie

Path Param	Value
error	invalid_request
error_description	Invalid FTSession_s cookie in authorization request

HTTP 302 - Invalid Response Type

Path Param	Value
error	unsupported_response_type
error_description	Service only supports “token” response type

HTTP 302 - Invalid Scope Requested

Path Param	Value
error	invalid_scope
error_description	Invalid scope in authorization request

HTTP 302 - Invalid Redirect URI

Path Param	Value
error	invalid_request
error_description	The redirect_uri parameter doesn’t match the client’s registered redirect URI