Authorization overview
Introduction
To interact with Text APIs, your requests need to be authenticated. This means the API needs to know who is making the request and what they're allowed to do.
Text uses OAuth 2.1 protocol for authentication and authorization for all of its services. Before you continue, make sure you understand the difference between them.
- Authentication is making sure that somebody really is who they say they are.
E.g.: Checking your passport at the security check is authentication. - Authorization is assigning rules about who is allowed to do what.
E.g.: Allowing you to take first class seat is authorization.
In terms of interacting with our APIs, authentication is when you check the user credentials to see if they are signed in. Authorization is when you look up whether you allow them to do something.
There are a few ways to authenticate requests, depending on how your solution works. In most cases, the easiest way is to use a Personal Access Token (PAT). A PAT lets your script, service, or call the APIs directly without implementing a full authorization flow.
If you’re building a solution that needs to access the API on behalf of multiple users, you can use the OAuth authorization flows instead.
Use cases
Decide which authorization flow to choose based on your use case.
| Use case | Recommended flow |
|---|---|
| Sending requests to LiveChat API | Personal Access Tokens is the fastest way, but all other flows are also possible. |
| Testing during development | Personal Access Tokens or sign in with LiveChat are the fastest, but all other flows are also possible. |
| Building private web apps | Personal Access Tokens for the personal use of the app, Sign in with LiveChat or Implicit grant for all agents within a license |
| Building private server-side apps | Personal Access Tokens for the personal use of the app, Sign in with LiveChat or Authorization code grant for all agents within a license |
Postman collection
You can find all the requests from the agent and customer authorization flows in Postman. Remember to replace sample parameters with your own.
Agent authorization
Most Text APIs lets you use Personal Access Tokens (PATs) for agent authentication. To learn how to create and use a PAT, see Personal Access Tokens.
If your integration needs to access the API on behalf of multiple agents, you can use OAuth authorization flows instead. OAuth allows each user to authorize your integration with their own account, and requests are executed using their identity and permissions.
Customer authorization
The Customer Chat API uses a different authorization model. To learn how to authenticate customer-related requests, see customer authorization.
Global Accounts
If you decide to implement an authorization flow instead of using a PAT, make sure you understand the concept of Global Accounts.
Scopes
Scopes control what your application is allowed to do when calling the APIs. Each scope grants access to specific resources or operations.
To learn more about available scopes and how they work, see:
ScopesTroubleshooting
If you run into issues while setting up authorization, check the troubleshooting guide and FAQ for common questions and solutions.
TroubleshootingSample OAuth authorization apps
We've prepared two apps with fully implemented authorization flows. You can test them, experiment with them, or modify their code and extend their functionality:
The apps demonstrate how to implement two flows from the Accounts SDK: the popup flow and the redirect flow.
To learn more about the sample apps and implementing Accounts SDK, read our blog post.