Authentication
Loops uses the OAuth 2.0 authorization code grant. Once you have a registered app, send the user to the authorize page, receive an authorization code at your redirect URI, then exchange that code for an access token.
1. Redirect the user to authorize
GET
/oauth/authorizeBuild the authorization URL with your client details and send the user there in a browser:
Authorization URL
https://loops.video/oauth/authorize
?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=https%3A%2F%2Fmyapp.example%2Fcallback
&scope=read+write+follow
&state=RANDOM_STATE_STRING| Parameter | Type | Description |
|---|---|---|
response_typerequired | string | Must be "code". |
client_idrequired | string | The client_id from your registered app. |
redirect_urirequired | string | Must match a redirect URI registered with the app. |
scope | string | Space-separated scopes (use + or %20 in the URL). Must be a subset of the app scopes. |
state | string | Recommended. An opaque value echoed back to protect against CSRF. |
After the user approves, they're redirected to your redirect_uri with a code query parameter. Verify the returned state matches what you sent.
2. Exchange the code for a token
POST
/oauth/tokenRequest
curl -X POST https://loops.video/oauth/token \
-H "Content-Type: application/json" \
-d '{
"grant_type": "authorization_code",
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET",
"redirect_uri": "https://myapp.example/callback",
"code": "AUTHORIZATION_CODE",
"scope": "read write follow"
}'Response
{
"access_token": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"token_type": "Bearer",
"scope": "read write follow",
"created_at": 1733443200
} Store the access_token and send it as a bearer token on every authenticated request. You can revoke a token at any time via POST /oauth/revoke.
Need an app-level token with no user context? Use
grant_type=client_credentials instead of the authorization code.