Back to Authentication

OAuth2.0

Eventbrite complies with the official OAuth2.0 specifications. You are welcome to plan your implementation around the User-Agent workflow described in those documents.

We have assembled the following notes, and workflow diagrams to help simplify your development efforts:

OAuth2.0 Terms

Name description
client_id The OAuth2.0 spec refers to a client_id. In our documentation we refer to this parameter as an API key or Application key. This key is meant to identify your application, and it’s value should be safe for public visibility.
redirect_uri This value, configurable per API Key, should contain a web address that the user will be redirected to after they approve or deny authorization for your app. For mobile clients, development, or testing purposes, you may want to set this value to http://localhost/.
client_secret Your application’s client_secret should never be shown to users or leaked in source code. It’s called a secret for a reason! It can be used to exchange a user’s intermediary access_code for an access_token.
response_type Set this value to code for server-side languages, or token for client-side OAuth2.0 interactions.
access_code An intermediary user-access code that can be used by the application owner to obtain a valid access_token.
access_token

A user and app-specific access token is the final output of this process. You can save these tokens for later use, or ask the user to re-authorize your app upon each new session. These tokens should not be visible to other users.

If you need to store these tokens for later use, please do so securely. Information on how to use an access_token to contact the API is included in on our authentication guide.

Interactive OAuth2 Demos

This site uses an OAuth2.0 workflow to provide access to your account data for use in our interactive API method pages. You can try logging in via OAuth2.0 by clicking Login link in the My Account menu, in the top right corner of any of our documentation pages. Our workflows page also includes a diagram of this process.

Additional live demos are available on Github:

  1. Javascript LoginWidget Demo
  2. jQuery Mobile App Demo

Implementation Steps for Client-Side Languages

If you are planning to use Javascript with the EventbriteAPI, I would recommend taking a look at our available OAuth2 login widget, and related API Client documentation.

Our authorization workflow notes illustrate how this experience may look for an average user.

  1. Configure your API key - Set your redirect_uri to the URL that your users should be sent to after they approve or deny your app.
  2. Request authorization from the user - Provide a link or redirect that sends the user to the following URL:
    https://www.eventbrite.com/oauth/authorize?response_type=token&ref=oauth&client_id=YOUR_API_KEY

    NOTE An optional ref parameter can be added to the above URL.

  3. Collect the response tokens - After approving or denying access, the user will be sent back to the redirect_uri associated with your application key. If your application’s authorization was approved, then the user’s access_token will be added to the hash fragment portion of the return URL. Our main authentication guide describes how to use this access_token to construct API request URLs, providing access to the related user’s account data.

Implementation Steps for Server-Side Languages

Our PHP API client includes code that can further simplify this work:

See our authorization workflow notes for a visual overview of this process.

  1. Configure your API key - Set your redirect_uri to the URL that your users should be sent to after they approve or deny your app.
  2. Request authorization from the user - Provide a link or redirect that sends the user to the following URL:
    https://www.eventbrite.com/oauth/authorize?response_type=code&client_id=YOUR_API_KEY

    NOTE An optional ref parameter can be added to the above URL.

  3. Collect the response tokens - After approving or denying access, the user will be sent back to the redirect_uri associated with your application key. If your application’s authorization was approved, then the user’s access_code will be available as the value of the code parameter in the querystring.
  4. Exchange the access_code for an access_token - Send a server-side POST request to:
    https://www.eventbrite.com/oauth/token

    This post must contain the following urlencoded data:

    code=THE_USERS_AUTH_CODE&client_secret=YOUR_CLIENT_SECRET&client_id=YOUR_API_KEY&grant_type=authorization_code

    NOTE You may need to provide the following request header as well:

    Content-type: application/x-www-form-urlencoded\r\n

    The subsequent POST response should contain the user’s access_token. Our main authentication guide describes how to use this access_token to construct API request URLs, providing access to the related user’s account data.