Authorization header. You can use either a Maadify user session token or an OAuth 2.0 access token issued to an approved API client.
OAuth 2.0 flow
Use OAuth when an external application needs delegated access to the Maadify API on behalf of a user. Most server-side integrations should use confidential clients. Public clients can use PKCE when they cannot safely store a client secret.Create an API client
In Maadify, open API clients and click Create client.Enter a client name and one or more redirect URIs.
- Use a confidential client for most server-side integrations. The app exchanges the authorization code from your backend with a client secret.
- Use a public client with PKCE for browser apps, mobile apps, desktop apps, CLIs, or any app that cannot keep a secret.
Create a PKCE challenge for public clients
Generate a cryptographically random Store the
code_verifier, then create a SHA-256 code_challenge from it.code_verifier temporarily. You need it when you exchange the authorization code for tokens.Confidential clients typically skip this step and use the client secret during token exchange. They can also use PKCE if your integration requires an extra proof step.Send the user to authorize access
Redirect the user to the Maadify auth URL with the OAuth authorization parameters.Use
- Public client with PKCE
- Confidential client
https://data.maadify.com as the auth host.Use
code.The OAuth client ID from API clients.
One of the redirect URIs registered for the client.
Use
api.access for Maadify API access.An opaque value your application validates after redirect to prevent CSRF.
Required for public PKCE clients. The base64url-encoded SHA-256 hash of your
code_verifier.Required for public PKCE clients. Use
S256.Handle user consent
Maadify asks the signed-in user to approve or deny API access. If the user approves, Maadify redirects back to your
redirect_uri with an authorization code.Exchange the code for tokens
Exchange the authorization code at the token endpoint.
- Public client with PKCE
- Confidential client
Token refresh
If the token response includes arefresh_token, use it to request a new access token when the current token expires.
- Public client with PKCE
- Confidential client
Access control
OAuth clients can only access API surfaces approved for the client and tenant. Requests can fail even with a valid token when:- The user does not have
api.access. - The OAuth client is inactive or not approved for the tenant.
- The tenant does not have active billing for endpoints that require billing access.
- The user lacks the permission required by the specific endpoint.
Troubleshooting
401 Invalid authentication credentials
401 Invalid authentication credentials
Confirm that the
Authorization header uses Bearer {ACCESS_TOKEN} and that the token has not expired.403 OAuth client is not approved for this API
403 OAuth client is not approved for this API
Confirm that the OAuth client is active for the user’s tenant and includes the
api API surface.403 Missing permission
403 Missing permission
Ask a Maadify administrator to grant the user the permission required by the endpoint.
