Basics & Flows

HiDrive authentication is handled solely using OAuth2. Fundamental details of OAuth2 can be found at the OAuth-Homepage or in the RFC Specification.

Get started by registering your project; You’ll receive the app-specific client_id and (in most cases) a client_secret required for our authentication system.

Upon registration, you are asked for your project’s “app type” and may chose from “server”, “browser” or “native”. Each of these types has a specific implication on the available authorization options. If you change your mind later on and wish to change the type of your app project, please contact us.

Installed applications (Native)

Applications running as a native client (e.g. an app on a mobile phone) that can either listen to a localhost port, or are not able to listen to a web-redirect at all (out-of-band, oob)

redirect_uri http://localhost:<port> or “oob”
client_id yes
client_secret yes
refresh_token yes (validity: 60 days, auto-extend)
access_token yes (validity: 1 hour)
Flow Chart OAuth2 ServerFlow_NativeLocalhostFlow_v1_2a

Web server applications (Server)

Any dynamic web-based application using backend code (go, java, .net, perl, php, python, ruby, …), that is able to keep and store a secret (e.g. in a database).

redirect_uri https://<…> (ssl required)
client_id yes
client_secret yes
refresh_token yes (validity: 60 days, auto-extend)
access_token yes (validity: 1 hour)
Flow Chart OAuth2 NativeOOBFlow_v1_2a

Client-side (JavaScript) applications (Browser)

Client-side JavaScript or similar apps, that can not keep a secret and therefore must obtain a fresh user-authorization whenever the access_token expires.

redirect_uri https://<…> (ssl required)
client_id yes
client_secret no
refresh_token no
access_token yes (validity: 1 hour)
Flow Chart OAuth2 BrowserFlow_v1_2a