Implementing redirect server in another language

Last updated 6 months ago

The authorization code flow is described here:

When a HTTP request is made that requires a new access token, the following occurs:

(1) Register state with your redirect server.

Unity makes a HTTP POST to endpoint. Headers: Accept=application/json, Content-Type: multipart/form-data. You can view a sample request here. Key 's' is a unique identifier for the state. The state value is used later on to locate your access token, once available. Key 'i' is the Client ID. Key 'k' is your Secret Key. The remainder of the keys are there to assist your redirector with supporting different OAuth implementations. Each OAuth implementation can vary slightly

(2) Unity opens browser to get consent from user.

Example URL for Wunderlist is

Note that the state unique identifier is the same that we sent to our redirect server.

(3) Authorization server contacts your redirect server.

Based on the redirect URI you provided in your authorization URL and inside the API's app configuration, the authorization server will issue an HTTP GET to endpoint. Included in this call are error, state, and code query parameters.

(4) Exchange authorization code for access token.

Your redirect server code now has to make an HTTP POST to the API's access token URL. This normally includes sending the authorization code, Client ID, and Secret Key in the POST body. The body is typically includes form fields for each parameter, with a Content-Type header 'application/x-www-form-urlencoded'.

(5) Store the access token.

The response to your code=>token exchange will contain either an error or data which will include the access token. Store this information on the server side for the next step, keying on the state unique identifier.

(6) Return to Unity and retrieve token.

When you navigate back to Unity, gameplay will resume and a HTTP GET request will be made to Your server code must then retrieve the token info for the requested state unique identifier and return it in the below format.


"r": [
"k": "access_token",
"v": "3adff24c2f1aafab9120502e09fc1722937ee3e7df21cbeb5cc6fc181d58"