API authentication
Funkwhale uses the OAuth authorization grant flow for external apps. This flow is a secure way to authenticate apps that requires a user’s explicit consent to perform actions.
1. Create an application
To connect to the Funkwhale API using OAuth, you need to create an application. This represents the entity credentials are related to.
When creating an application you need to define the scopes the application has access to. Scopes define what information your application can access. Each scope can be granted with the following rights:
read:<scope>
: grants read-only access to the resourcewrite:<scope>
: grants write-only access to the resource
read
rights are required to fetch information using a GET
request. All other actions (POST
, PATCH
, PUT
, and DELETE
) require write
privileges. You may give an application both read
and write
access to any scope.
Scope |
Description |
---|---|
|
Read-only access to all data |
|
Read-only access to all data |
|
Access to profile data (email address, username, etc.) |
|
Access to library data (uploads, libraries, tracks, albums, artists, etc.) |
|
Access to favorites |
|
Access to history |
|
Access to followers |
|
Access to playlists |
|
Access to radios |
|
Access to content filters |
|
Access to notifications |
|
Access to metadata edits |
Next, you need to define a Redirect URI. This is the location the user is redirected to once they authenticate your app. This can be any URI you want.
Note
Funkwhale supports the urn:ietf:wg:oauth:2.0:oob
redirect URI for non-web applications. If you use this URI, the user is shown a token to copy and paste.
Once you’ve decided on your scopes and your redirect URI, you can create your app using one of the following methods:
Visit
/settings/applications/new
on your Funkwhale pod while logged inSend a
POST
request to/api/v1/oauth/apps
. See our API documentation for more information
3. Get an access token
Once you receive your authorization code, you need to request an access token. To request an access token, call the /api/v1/oauth/token
endpoint with the following information:
grant_type
* - Must be set toauthorization_code
code
* - Your application’s authorization coderedirect_uri
* - Your redirect URIclient_id
* Your application’s client ID
The server responds with an access_token
and a refresh_token
. See the OAuth spec for more information about this response.
You can use this token to authenticate calls from your application to the Funkwhale API by passing it as a request header with the following format: Authorization: Bearer <token>
.
4. Refresh your access token
Important
When you refresh your token the endpoint returns a new refresh_token
. You must update your refresh token each time you request a new access token.
By default, Funkwhale access tokens are valid for 10 hours. Pod admins can configure this by setting the ACCESS_TOKEN_EXPIRE_SECONDS
variable in their .env
file.
After the access token expires, you must request a new access token by calling the /api/v1/oauth/token
endpoint with the following information:
grant_type
* - Must be set torefresh_token
refresh_token
* - Your current refresh tokenscope
- A list of scopes
See the OAuth spec for more information about this response.