OAuth

data.world supports the OAuth 2.0 protocol for authentication and authorization. If you are new to OAuth 2.0, the OAuth Bible is a good place to start and learn some of the theory.

Below is an example of what the user experience might look like in your product:

Auth Steps

All applications follow a basic pattern when accessing a data.world API using OAuth 2.0.
The flow can be slightly different, depending on whether the application web-based or native (desktop & mobile).

OAuth flows
  1. Application redirects user to https://data.world/oauth/authorize for authorization, providing the following parameters:
    client_id
    redirect_uri
    response_type = "code"
    state

    Example Authorization URL:

    https://data.world/oauth/authorize?
      client_id=3MVG9lKcPoNINVB&
      redirect_uri=http://localhost/oauth/code_callback&
      response_type=code
    
  2. User logs into data.world and grants application access.

  3. data.world redirects user back to the redirect_uri with:
    code
    state

  4. Application takes the code and exchanges it for an access token:
    client_id
    client_secret
    code
    redirect_uri Optional
    grant_type = "authorization_code"

    Example Token Request:

    POST
    https://data.world/oauth/access_token?
      code=zac4ZV2XbleQ2e&
      client_id=3MVG9lKcPoNINVB&
      client_secret=3iQF9BsWEr6nCf&
      grant_type=authorization_code
    
  5. If client_id and client_secret are valid data.world will respond with:
    access_token
    expires_in
    refresh_token
    Alternatively, if a redirect_uri was provided, data.world will invoke it passing the same list of attributes.

  6. Application stores access_token to use in subsequent requests by placing it into the request as an Authorization: Bearer [access_token] header string.

This flow requires that your application runs on a web server, so that steps #3 and #4 can be performed while your client_secret remains protected behind a server environment.

DO NOT include your client_secret for your web app in source code that accessible to others. Use the native applications flow instead, if you cannot guarantee the confidentiality of your client_secret.

Reference implementation

Check out our reference implementation on GitHub.
This example, written in Node.js can be deployed to your Heroku account as-is with click of a button. Super easy!
Look for the Deploy to Heroku button at the bottom of the README.md.

Ready to get started?

Use the form below to request your OAuth keys. We’ll try to respond within one business day.

While you wait, you can start programming against our APIs using your personal API token which can be obtained at https://data.world/settings/advanced