OAuth 2.0

Basic Concepts

Authorization Server

The server responsible for issuing access tokens to the client after successfully authenticating and authorizing the client. The Authorization server is sometimes also responsible for user authentication


Possible ways a client can obtain an Access Token based on the type of application.

Application Type
Regular Web App: Traditional web application that performs most of its application logic on the server (e.g., Express.js, ASP.NET). Authorization Code
Native App: Mobile or Desktop app that runs natively in a device (e.g., iOS, Android). Authorization Code + PKCE
Single-Page App (SPAs): JavaScript application that performs most of its user interface logic in a web browser, communicating with a web server primarily using APIs (e.g., AngularJS + Node.js, React). Authorization Code + PKCE
Machine-to-Machine (M2M) App: Non-interactive application, such as command-line tools, daemons, IoT devices, or services running on your back-end. Typically, you use this option if you have a service that requires access to an API. Client Credential Grant


The 80 character public portion of the WSKey.


A string which represents the functionality which the client is requesting authorization to use.

Authorization Code

The unique string which represents the fact a user has successfully authenticated and the application has been granted the right to access one or more scopes for a particular institution.  Authorization Codes are exchanged by clients to obtain Access Tokens.

Access Token

A credential that can be used by an application to access an API. Access Tokens can be either an opaque string or a JSON Web Token (JWT) .

Partial scopes

An access token which is returned with only SOME of the scopes the client application requested.  

Basic Authentication

A simple authentication scheme used to protect HTTP requests. Requests contain the Authorization header with the key and secret joined by a colon and base64 encoded.

Refresh Token

A longer lived token which a client can request and allows an application to obtain a new access token without prompting the user

Token Revocation

Applications can programmatically revoke the access a user has given to it. Revocation is important when a user unsubscribes, removes an application or "logs out".

For an detailed technical overview of the OAuth 2.0 standard please see RFC 6749