HiDrive authentication is handled solely using OAuth2. Fundamental details of OAuth2 can be found at the OAuth-Homepage or in the RFC Specification.
Get started by registering your project; You’ll receive the app-specific client_id and (in most cases) a client_secret required for our authentication system.
Upon registration, you are asked for your project’s “app type” and may chose from “server”, “browser” or “native”. Each of these types has a specific implication on the available authorization options. If you change your mind later on and wish to change the type of your app project, please contact us.
Installed applications (Native)
Applications running as a native client (e.g. an app on a mobile phone) that can either listen to a localhost port, or are not able to listen to a web-redirect at all (out-of-band, oob)
| redirect_uri | http://localhost:<port> or “oob” |
| client_id | yes |
| client_secret | yes |
| refresh_token | yes (validity: 60 days, auto-extend) |
| access_token | yes (validity: 1 hour) |
| Flow Chart | OAuth2 ServerFlow_NativeLocalhostFlow_v1_2a |
Web server applications (Server)
Any dynamic web-based application using backend code (go, java, .net, perl, php, python, ruby, …), that is able to keep and store a secret (e.g. in a database).
| redirect_uri | https://<…> (ssl required) |
| client_id | yes |
| client_secret | yes |
| refresh_token | yes (validity: 60 days, auto-extend) |
| access_token | yes (validity: 1 hour) |
| Flow Chart | OAuth2 NativeOOBFlow_v1_2a |
Client-side (JavaScript) applications (Browser)
Client-side JavaScript or similar apps, that can not keep a secret and therefore must obtain a fresh user-authorization whenever the access_token expires.
| redirect_uri | https://<…> (ssl required) |
| client_id | yes |
| client_secret | no |
| refresh_token | no |
| access_token | yes (validity: 1 hour) |
| Flow Chart | OAuth2 BrowserFlow_v1_2a |