Web and Public App Integrations with Authorization Code Grant Type
Web app and public app integrations allow applications to integrate with Marketing Cloud on behalf of an end user, using the intersection of the app’s and user’s permissions. A public app can’t securely store a client secret, but a web app can.
Use the authorization code grant type to allow your web or public app to access Marketing Cloud resources on behalf of a user. In the authorization code flow, end users are redirected to Marketing Cloud to authorize your application to act on their behalf. After the redirect, the user gives authorization to your application by logging in to Marketing Cloud. After login, Marketing Cloud redirects the user to your application's redirect URL, which you specify when you create the API integration in Installed Packages. As part of this redirect, Marketing Cloud appends an authorization code to the redirect URL for your application to use. Your application then uses the authorization code to request an access token from Marketing Cloud.
It can take up to five minutes before authorization codes, access tokens, and refresh tokens generated by the v2/authorize and v2/token endpoints incorporate any changes made to the API integration in Installed Packages.
- Initiate authorization. Your application directs the user’s web browser to your integration’s Marketing Cloud authorization URL.
- Your application is authorized. By logging in to Marketing Cloud, the end user authorizes your application to act on their behalf.
- Extract authorization code. Marketing Cloud redirects the user’s web browser to your application and returns an authorization code that your application must extract.
- Request access token using authorization code . Your application requests an access token by providing the authorization code.
- Extract access token. Marketing Cloud authorization server returns an access token that your application must extract.
- Access resources. Your application accesses Marketing Cloud using the access token it received and the REST or SOAP base URLs returned as part of the token response.