Using OAuth 2.0

Memberful supports the OAuth 2.0 protocol for authentication. You may use this to sign members into your external application.

The OAuth 2.0 authorization flow

If you're using one of the pre-written OAuth 2.0 libraries then the information in this section should be all you need to get started. If however, you want to know more about the underlying process, read the Implementing the authorization code flow section below.

When your application wants to force a member to sign in, redirect them to Memberful's authorization endpoint, which will ensure the member is signed in, before sending them back to your application's redirect_url (see below) with an authorization code.

This authorization code has a lifetime of 1 minute, during which your application can send it to Memberful in exchange for an access_token. The access_token will last for 15 minutes, and allows your application to communicate with Memberful on the member's behalf.

This process requires that your application and Memberful know the following information:

You can create these values by setting up a new "Custom Application" in your admin panel (Settings → Integrate → Custom Applications).

During authentication send these requests to the following URLS:

Implementing the authorization code flow

First, redirect the user to the following URL:

https://{subdomain}{application identifier}&response_type=code

This will prompt the user to sign in, and then send them back to the redirect URL you specified when setting up the custom application.

The redirect url will include an extra parameter, code. This code's sole purpose is to be exchanged for an access token (which you can use to fetch a member's account details), and cannot be used for any other purpose. To exchange the code for the token, POST the following parameters to the token endpoint URL:

We'll then give you a payload along the lines of the following:

  "access_token": "...",
  "token_type": "bearer",
  "expires_in": 3600,
  "refresh_token": "..."

You can then use the access_token as described in other parts of the documentation.

One notable difference between the OAuth specification and Memberful's implementation is that only applications created by the account owner can interact with a site, thus asking the member for permission to connect to an application is redundant.


How to

CMS Integrations

Email Newsletters

Discussion Forums