API OAuth doesn't grant access to my app

Hello,
I am building the app using the Envato API. I am using the Authenticating with OAuth with the endpoint " https://api.envato.com/authorization?response_type=code&client_id=[CLIENT ID]&redirect_uri=[REDIRECT URI]“.
After the redirect I see the code in the url but I don’t see the access to my app in " Apps you’ve granted access” section on https://build.envato.com/my-apps/

What should be the reason?
Thank you

Yeah, the build.envato.com website is kinda in ruins right now. You should see the app listed, but it won’t have a title – just a list of scopes and a revoke button. I wouldn’t be surprised if it didn’t list your grant at all given recent trends from the devs over there.

The important thing is to check the code sent to your redirect URI and see if it can be used to successfully generate tokens. If it can, then you’re good to go, regardless of what build.envato.com shows.

Thanks for your answer.
I am getting the code in the redirect URI but it’s not working when I use it for POST request to get tokens.

Are you sure you’re sending it in the correct format? You need to send all parameters as a urlencoded request body, not as query parameters like the docs suggest at first glance. Here’s example code:

$args = [
    "grant_type" => "authorization_code",
    "code" => $_GET['code'],
    "client_id" => "Your client ID here",
    "client_secret" => "Your client secret here"
];

$body = http_build_query($args, "", "&", PHP_QUERY_RFC1738);
$handle = curl_init("https://api.envato.com/token");

curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($handle, CURLOPT_USERAGENT, "Your user agent here");
curl_setopt($handle, CURLOPT_POST, true);
curl_setopt($handle, CURLOPT_POSTFIELDS, $body);
curl_setopt($handle, CURLOPT_HTTPHEADER, [
    "Content-Type: application/x-www-form-urlencoded"
]);

$response = curl_exec($handle);

$response will then contain the JSON string upon success, e.g.

{"refresh_token":"","token_type":"bearer","access_token":"","expires_in":3600}

Actually, I was trying as docs says. I will try with the body parameters.
Do you have the JS request example?

For server-side JavaScript, you could use my envato npm package to get started quickly. It’s fully typed for ease of development, and it supports OAuth. Otherwise, the implementation will depend on what libraries or API you’re using to send HTTP requests.

You can also reference my code for the library above but it’s heavily abstracted so will need to do a bit of digging to fully see the full request chain:

If you need further help, let me know how you’re sending HTTP requests and provide your existing code. I’ll be happy to advise from there.

1 Like

Looks great! Thanks.
So its server side? Doesn’t work on the client fetch?
I am building via React

No, you shouldn’t implement OAuth from the client side. This will expose your client_secret and the subsequent tokens, which is considered a security breach. Envato may even block the requests for this reason upon seeing a browser user agent.

The correct procedure is to implement your interactions with the Envato API on the server-side, and provide an API of your own (however minimal it may be) from which your React app can fetch the necessary data. You never want to expose the client_secret, it’s like a password.

1 Like

Ok, got it.
Probably, that’s why it doesn’t work.
Thanks for helping!
Will build it with server.

1 Like

You’re welcome! Feel free to reach out if you need any help with the server implementation. Using my existing package should get you up and running quickly. You can follow along with the OAuth steps here: https://www.npmjs.com/package/envato#oauth

You can store their refresh and access tokens in a session cookie or such. It’s not really required to store them in any kind of persistent database, you can just send them back to Envato’s OAuth authorization screen whenever the session is gone and start over from the code again. :stuck_out_tongue:

1 Like