Appearance
OAuth 2.0
Integrate your application with Archilogic using OAuth 2.0 to access floor plans, spaces, and building data on behalf of users.
Authorization Code Flow
Archilogic supports the OAuth 2.0 authorization code flow. For server-to-server integrations, use Secret Access Tokens instead.
1. Authorization
<endpoint>/oauth/authorize?
response_type=code&
client_id=YOUR_CLIENT_ID&
state=RANDOM_STATE_VALUEUsers will be prompted to approve permissions on first authorization. After consent, they're redirected to your redirect_uri with an authorization code (?code=...&state=...). On error, the redirect includes ?error=...&error_description=...&state=... instead.
TIP
The state parameter is recommended for CSRF protection. Your application should verify the returned state matches the value you sent.
2. Token Exchange
bash
curl -X POST <endpoint>/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "code=AUTHORIZATION_CODE"Returns:
json
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "bearer"
}INFO
Authorization codes expire after 5 minutes. Access tokens do not expire automatically — revoke them through consent management (see below).
WARNING
Access tokens are opaque strings, not JWTs. Do not attempt to decode or parse them — treat them as an opaque bearer credential.
3. API Access
bash
curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
"https://api.archilogic.com/v2/floor/FLOOR_ID"Configuration
Scopes
OAuth applications use the same scopes as secret access tokens. Configure scopes when registering your application with Archilogic support.
The authorizing user must have all of the application's registered scopes. If the user lacks any requested scope, authorization is denied entirely — scopes are not silently downscoped.
Managing Consents
Users can view and revoke application permissions at any time through their Archilogic account settings. Revoking consent deletes all access tokens issued to that application.
Application Registration
To register your OAuth application, contact Archilogic support with:
- Application name
- Redirect URI
- Required scopes
WARNING
Only one redirect URI can be registered per application. Keep your client_secret confidential and only use the authorization code flow from server-side applications.
Rate Limiting
OAuth tokens follow standard API rate limits.
Error Codes
Token endpoint errors return HTTP 400. Authorization endpoint errors are returned as query parameters on the redirect URI.
json
{ "error": "error_code", "error_description": "error message" }| Error Code | Description | Solution |
|---|---|---|
invalid_request | Missing required parameter | Check all required fields are set |
invalid_client | Unknown or invalid client_id | Verify client ID |
invalid_grant | Authorization code is invalid/expired (codes expire after 5 minutes) | Request new authorization |
unsupported_grant_type | Grant type not supported (only authorization_code is supported) | Use authorization_code |
access_denied | User denied consent or lacks the required scopes | Handle gracefully in your app |
Related Resources
- Authentication - Overview of all authentication methods
- API Reference - Complete API documentation
- Contact Support - Get help with integration