Access tokens allow apps to make requests to Arena on the behalf of a user. Each access token is unique to the user and application ID. Access tokens do not expire, but they may be revoked by the user.

There are two flows for authenticating a user and obtaining an access token: code and token, which are generally used by web and client apps, respectively.

To request the authorization token, you should redirect users to the authorize endpoint:

http://dev.are.na/oauth/authorize
   ?client_id=YOUR_CLIENT_ID
   &redirect_uri=YOUR_CALLBACK_URL
   &response_type=code 

If the user authorizes the your application they will be redirected back to

YOUR_CALLBACK_URL/?code=CODE

To request the access token, you should use the returned code and exchange it for a access token. To do that you can use any HTTP client.

POST https://dev.are.na/oauth/token
   ?client_id=THE_ID
   &client_secret=THE_SECRET
   &code=RETURNED_CODE
   &grant_type=authorization_code
   &redirect_uri=YOUR_CALLBACK_URL

The response will be in JSON

{
   "access_token": "ACCESS_TOKEN",
   "token_type": "bearer",
   "expires_in": null
}

You can now make authenticated requests to the API signed with this access token.