Signing members in with OAuth 2.0

Memberful supports the OAuth 2.0 protocol for authentication. You can use this to sign members in to your external application.

The OAuth 2.0 authorization flow

We strongly recommend using a pre-written OAuth 2.0 library. If you want to know more about the underlying process, please read the Implementing the authorization code flow section below.

When your application wants to force a member to sign in, redirect them to Memberful's authorization endpoint, which will ensure the member is signed in, before sending them back to your application's redirect_url (see below) with an authorization code.

The authorization code has a lifetime of 1 minute. During that 1 minute window your application can send it to Memberful in exchange for an access_token. The access_token is active for 15 minutes, and allows your application to communicate with Memberful on the member's behalf.

This process requires your application and Memberful know the following information:

You can create these values by setting up a new "Custom Application" in your admin panel (Settings → Integrate → Custom Applications).

During authentication send these requests to the following URLS:

Implementing the authorization code flow

First, redirect the member to the following URL:

https://{subdomain}{application identifier}&response_type=code

This will prompt the member to sign in, and then send them back to the redirect URL you specified when setting up the custom application.

The redirect url will include an extra parameter, code. This code's sole purpose is to be exchanged for an access token (which you can use to fetch a member's account details), and cannot be used for any other purpose. To exchange the code for the token, POST the following parameters to the token endpoint URL:

You'll receive a payload that looks like this:

  "access_token": "...",
  "token_type": "bearer",
  "expires_in": 3600,
  "refresh_token": "..."

Now you can use the access_token as described below in Signing members in.

One notable difference between the OAuth 2.0 specification and Memberful's implementation of the specification — only custom applications created by the account owner can interact with a site, thus asking the member for permission to connect to an application is redundant.

Signing members in

Once you've acquired an access token, you can make a GET request to the Memberful GraphQL API endpoint to get information about the member:

This endpoint has a single field called currentMember with GraphQL type Member. You have to specify what information you need in the query parameter.

Example query:

  currentMember {
    address {
    creditCard {
    downloads {
    subscriptions {
      plan {

Example response:

  "data": {
    "currentMember": {
      "address": {
        "city": null,
        "street": null,
        "postalCode": null,
        "country": null
      "creditCard": {
        "expMonth": 10,
        "expYear": 2020
      "customField": "",
      "downloads": [
          "id": "1",
          "name": "A download"
      "email": "",
      "fullName": "John Doe",
      "id": "1",
      "phoneNumber": null,
      "subscriptions": [
          "active": true,
          "expiresAt": 1528625190,
          "plan": {
            "id": "1",
            "name": "Monthly"
      "unrestrictedAccess": false

Please check our API explorer to learn more about the available GraphQL types.

Start selling memberships the easy way! 🚀 🙌 💪

Join some of the world's biggest audience-supported creators.

Try Memberful for free today →


General +-

Quick start guides +-

How to +-

CMS Integrations +-

Email Newsletters +-

Discussion Forums +-

Course Builders +-

WordPress +-

Development / API +-