ℹ️ OAuth in Micro.blog

Micro.blog uses IndieAuth, which is a flavor of OAuth designed to work across web sites, not tied to a central authorization server. Because it’s based on OAuth, you can access Micro.blog from your app just like you would another OAuth provider.

You will mostly be accessing these URLs:

  • authorization endpoint: https://micro.blog/indieauth/auth
  • token endpoint: https://micro.blog/indieauth/token

To get started, open a web browser window from your app with the authorization endpoint, to ask the user to sign in to their Micro.blog account:

https://micro.blog/indieauth/auth?client_id=[url]&
  scope=create&
  state=[state]&
  response_type=code&
  redirect_uri=[url]

Note that Micro.blog does not have passwords, so this works best if the user is already signed in. For this reason, on mobile prefer opening the user’s default web browser (where they may already be signed in) rather than an embedded web view inside your app.

Parameters:

  • client_id: This should be the URL for your app. It’s shown to users when prompted to sign in.
  • scope: Set this to “create” so users can create new blog posts.
  • state: This can be a random string that we’ll send back to you after authorization. You can verify that the value matches what you sent Micro.blog to prevent forged requests.
  • response_type: Set this to “code”.
  • redirect_uri: This is the callback URL that we’ll redirect back to.

When the user approves your app to access Micro.blog, we’ll redirect back to your redirect_uri with state and code values, like this:

https://yourapp.com/callback?state=12345&code=ABCDEFG

This redirect URL can also use a custom URL scheme:

yourapp://callback?state=12345&code=ABCDEFG

With the authorization code, request an access token from Micro.blog’s token endpoint by sending a POST to Micro.blog:

POST /indieauth/token
Host: micro.blog
Content-Type: application/x-www-form-urlencoded
Accept: application/json

code=ABCDEFG&client_id=https://yourapp.com&grant_type=authorization_code

Parameters:

  • code: The code you were sent in the callback URL.
  • client_id: This should be the URL for your app. It’s shown to users when prompted to sign in.
  • grant_type: Set to “authorization_code”.

Note that Micro.blog does not use a client_secret parameter like some OAuth providers need.

If everything works, you’ll get a JSON response with the acccess token to use in subsequent requests to the Micro.blog API:

{
  "access_token": "HIJKLMNOP",
  "token_type": "Bearer",
  "scope": "create",
  "me": "https://someone.micro.blog/",
  "profile": {
    "name": "Someone",
    "url": "https://someone.micro.blog/",
    "photo": "https://avatars.micro.blog/..."
  }
}

Send this token in the HTTP header “Authorization”, like this:

GET /posts/timeline
Host: micro.blog
Authorization: Bearer HIJKLMNOP

For a list of JSON endpoints you can use with a token, see this help page.