Overview
This guide outlines the steps necessary for integrating the OAuth authentication workflow between an Actor (end user), a Host (client application), and Quicko.Actor
The end user who initiates the OAuth flow
Host
Your client application requesting access to Open APIs
OAuth App
Quicko’s OAuth application that manages authentication
OAuth Flow
Workflow Steps
Initialization from Host
The Host sends an intent along with options to the OAuth App.Options include:
- API Key (provided during onboarding)
- Redirect URI (where the user returns after consent)
The Host application initiates the flow by redirecting the Actor to Quicko’s OAuth application.
Actor Consent on OAuth
The OAuth App authenticates and obtains consent from the Actor.Authentication Process:
- OAuth App sends an OTP to the Actor to establish their identity
- Actor enters the OTP to verify their identity
- Actor is presented with a consent screen
- Actor reviews and approves the Host’s access request
request_token for the Host.Redirection Back to Host
Upon the Actor’s consent, the OAuth App redirects back to the Host.Redirect Details:
- Issues HTTP 302 status code
- Redirects to the URI provided by the Host
- Appends the Resource Owner’s
request_tokenas a query parameter
Acquiring Access and Refresh Tokens
The Host exchanges the
request_token for long-lived tokens.The Host calls the OAuth Authorize API with:request_token(from the redirect)x-api-key(your API key)- API User’s
access_token(from authenticate endpoint)
- Resource Owner’s
access_token- to access Open APIs - Resource Owner’s
refresh_token- to get new access tokens
Understanding Different Tokens
All of the tokens mentioned below belong to the Actor (Resource Owner), not your application.
Request Token
Request Token
Description: A short-lived token which the Host must exchange to receive the Resource Owner’s access token.
| Property | Value |
|---|---|
| Lifetime | 10 minutes |
| Purpose | Initiate token exchange |
| Source | Returned after Actor grants consent |
| Usage | Exchange for access token via OAuth Authorize API |
Access Token
Access Token
Description: Used by the Host to access Quicko’s Open APIs on behalf of the Resource Owner.
Example:
| Property | Value |
|---|---|
| Lifetime | 24 hours |
| Purpose | Access Open APIs |
| Source | Received via OAuth Authorize API |
| Usage | Include in Authorization header when calling Open APIs |
When the access token expires, use the refresh token to obtain a new one without requiring the Actor to re-authenticate.
Refresh Token
Refresh Token
Description: Long-lived token for obtaining new access tokens without user interaction.
When to use:
| Property | Value |
|---|---|
| Lifetime | 1 year |
| Purpose | Obtain new access tokens |
| Source | Received via OAuth Authorize API |
| Usage | Exchange for new access token via Authorize API |
- Access token has expired (after 24 hours)
- You receive 401 Unauthorized response from Open APIs
- Proactively refresh before expiry
Complete OAuth Journey
The diagram above illustrates the complete OAuth flow:- Redirect - Host App redirects user to Quicko OAuth with
api_keyandredirect - Redirect - After user consent, Quicko redirects back to Host App with
request_token - Authorize - Host App calls Quicko API Server with
request_token - Response - Quicko API Server returns
access_tokenandrefresh_token - End - Host App can now access Open APIs on behalf of the user
Best Practices
Secure Storage
Store tokens securely in your database with encryption. Never expose them in client-side code or logs.
Token Refresh
Implement automatic token refresh logic before the access token expires to ensure seamless API access.
Error Handling
Handle token expiration gracefully. Catch 401 errors and automatically refresh the access token.
User Consent
Respect user consent. Provide clear options for users to revoke access to their data.