Web and Public App Integrations with Authorization Code Grant Type
Web app and public app integrations allow applications to integrate with Marketing Cloud Engagement on behalf of an end user, using the intersection of the app’s and user’s permissions. A public app can’t securely store a client secret, but a web app can.
Use the authorization code grant type to allow your web or public app to access Marketing Cloud Engagement resources on behalf of a user. In the authorization code flow, end users are redirected to Marketing Cloud Engagement to authorize your application to act on their behalf. After the redirect, the user gives authorization to your application by logging in. After login, Marketing Cloud Engagement redirects the user to your application's redirect URL, which you specify when you create the API integration in Installed Packages. As part of this redirect, Marketing Cloud Engagement appends an authorization code to the redirect URL for your application to use. Your application then uses the authorization code to request an access token.
It can take up to five minutes before authorization codes, access tokens, and refresh tokens generated by the v2/authorize and v2/token endpoints incorporate any changes made to the API integration in Installed Packages.
- Initiate authorization. Your application directs the user’s web browser to your integration’s Marketing Cloud Engagement authorization URL.
- Your application is authorized. By logging in, the end user authorizes your application to act on their behalf.
- Extract authorization code. Marketing Cloud Engagement redirects the user’s web browser to your application and returns an authorization code that your application must extract.
- Request access token using authorization code . Your application requests an access token by providing the authorization code.
- Extract access token. Marketing Cloud Engagement authorization server returns an access token that your application must extract.
- Access resources. Your application accesses Marketing Cloud Engagement using the access token it received and the REST or SOAP base URLs returned as part of the token response.