Front Desk apps use a standard "authorization code" OAuth 2 Flow. Your application contains a Log In link that sends users to Front Desk. The URL will look something like this:
The user will be redirected back to your site with an authorization code parameter in the URL after authenticating with Front Desk and granting access to your application:
Your server exchanges the authorization code for an access token. Values are passed as form parameters. Please note, that
POST https://frontdeskhq.com/oauth/token grant_type=authorization_code& code=AUTH_CODE& redirect_uri=REDIRECT_URL& client_id=CLIENT_ID& client_secret=SECRET
You will receive the access token via JSON in the response (or an error):
Supplying an access token in API requests
An access token is required when making API requests. The access token can be supplied by using an HTTP header:
Authorization: Bearer MYTOKEN
Or by using a URL query parameter:
Currently, Front Desk access tokens don’t expire, so your app does not need to refresh the token. Access tokens could be revoked. If a token is revoked for any reason, your app should handle re-authentication.
Specifying a host for OAuth requests
If your application is tied to one business and you do not need access to a user's profiles in other businesses or if you want the users of your application to see a login screen branded to a particular business, include the subdomain of that business in the access URL:
If your application requires access to a user's complete Front Desk account across all businesses, exclude the subdomain. This will result in the users seeing a Front Desk-branded login screen (that isn't business-specific).
If an access token is created on a business subdomain, all subsequent API requests must be against that subdomain.