Child pages
  • OAuth
Skip to end of metadata
Go to start of metadata

What's OAuth ?
An open protocol to allow secure API authentication.

Huh ?
Basically, it's a method that allows users to authorize apps or services to use their SmugMug account without having to provide their SmugMug username or password.

Web Resources


  • Consumer - The application or service.
  • Service Provider - SmugMug
  • End User - The SmugMug user who authorizes the consumer to access their account.
  • Request Token - The unique token used to initiate the authorization.
  • Access Token - The unique token used to access an end user's account. An authorized request token is exchanged for an access token.

SmugMug Specifics (Service Provider)

Authentication Flow

Obtaining an unauthorized request token

  1. The application/service asks for an unauthorized request token.
  2. SmugMug returns an unauthorized request token.

Obtaining User Authorization

  1. The application/service redirects the end user to SmugMug to authenticate and authorize the application/service to access his/her account. The application/service can request specific Access (Public [default] or Full) and Permissions (Read [default], Add or Modify) for a user's account by including &Access and/or &Permissions in the authorization url.
  2. The end user logins into their SmugMug account.
  3. The end user authorizes the application/service to access his/her account.
  4. If application/service has a callback url, the end user is redirected automatically after authorization. Otherwise, the end user closes the browser window and returns to the application or service manually.

Obtaining an Access Token

  1. The application/service presents the authorized request token.
  2. SmugMug returns an access token
  3. The application/service stores the access token.
  • No labels