Skip to content

OAuth2 Grant Types

The OAuth 2.0 specification is an authorization framework that contains a set of methods, or grants, that a client application can use to obtain an access token. Each grant type is designed for a specific use case:

The access token can then be passed to an API endpoint, which checks it to determine validity and authorization scope.

Support for the Authorization Code Flow is planned for a future release.

Server Endpoints

Resource Endpoint Methods
Authorization /api/v1/oauth/authorize GET, POST
Token /api/v1/oauth/token POST
UserInfo /api/v1/oauth/userinfo GET, POST
Registration not implemented yet
Introspection not implemented yet
Revocation /api/v1/oauth/revoke POST
End Session not implemented yet
Device Authorization not implemented yet

Clients can query the /.well-known/oauth-authorization-server and /.well-known/openid-configuration endpoints for automatic service discovery:

Note that the Authorization and UserInfo endpoints cannot be used yet as they are still under development.

Access Tokens

When clients have a valid access token, e.g. obtained through the POST /api/v1/oauth/token endpoint, they can use a standard Bearer Authorization header to authenticate their requests:

Authorization: Bearer <token>

Submitting the access token with a custom X-Auth-Token header is supported as well:

curl -H "X-Auth-Token: 7dbfa37b5a3db2a9e9dd186479018bfe2e3ce5a71fc2f955" \
http://localhost:2342/api/v1/photos?count=10

Besides using the API endpoints provided for this, you can also generate valid access tokens by running the photoprism auth add command in a terminal.

Learn more ›

App passwords can be used as access tokens in the Bearer Authorization header without first creating a session access token, and to obtain short-lived session access tokens through the POST /api/v1/session endpoint.

Protocol References

Authentication Libraries

Documentation Examples