The API Authorization Service is an implementation of the OAuth authorization framework and is used to obtain access tokens required to access certain API endpoints.
GET https://api.ft.com/authorize
Request Param | Mandatory | Value |
---|---|---|
response_type | Yes | Must be set to “token”, as per the OAuth spec |
client_id | Yes | Client id obtained via the client registration process as outlined here. |
redirect_uri | No | As registered during the client registration process. This is the URL to which the authorization service will send a HTTP 302 response with the access token or error response added as a URL fragment. |
scope | No |
A comma separated list of scopes. List of valid scopes is available here. Example: scope=user_products, profile_dem |
state | No | An opaque value used by the client to maintain state between the request and the callback. For more information, please refer to the OAuth spec. |
Header | Value |
---|---|
Cookie |
FTSession_s={FTSession_s}, where {FTSession_s} is the value of the FTSession_s cookie, each authenticated ft.com user gets upon successfully logging onto an ft.com application. |
X-Api-Key | Api key that is optionally generated during user registration. This will serve as a means of authenticating API client and authrosizing their requests in the absence of an FTSessions_s cookie. Note that only select clients will have this key. This key takes precedence over an FTSessions_s cookie |
uid | Used in conjunction with the x-api-key, to specify for which user you wish to retrieve an access token |
Not supported.
HTTP 302, with access token appended as a URL fragment to the Location response header, as per the OAuth 2.0 spec. The following parameters are appended to the URL fragment:
Path Param | Mandatory | Value |
---|---|---|
access_token | Yes | Value of the access_token that may be used to make authorized requests to API endpoints that need authorization |
token_type | Yes | Bearer |
expires_in | Yes | Number of seconds the token will expire in |
scope | No |
The scope the access_token grants access to. This parameter is only returned if the authorization service returns a scope different to that requested. This can happen if the FTSession_s cookie used, does not meet the freshness requirement to access a particular scope. |
state | No | The value included in the request |
HTTP 302, with error message appended as a URL fragment to the Location response header or HTTP 400 if the client_id path parameter of the request is invalid.
Path Param | Value |
---|---|
error |
invalid_request |
error_description | Missing FTSession_s cookie in authorization request |
Path Param | Value |
---|---|
error |
invalid_request |
error_description | Invalid FTSession_s cookie in authorization request |
Path Param | Value |
---|---|
error |
unsupported_response_type |
error_description | Service only supports “token” response type |
Path Param | Value |
---|---|
error |
invalid_scope |
error_description | Invalid scope in authorization request |
Path Param | Value |
---|---|
error |
invalid_request |
error_description | The redirect_uri parameter doesn’t match the client’s registered redirect URI |