authorization_code
back to your app.authorization_code
and code_verifier
to Cotter server and get back a token
and the user's email or phone number.code_verifier
is a cryptographically-random key that will be sent to Cotter along with the authorization_code
on Step 3. Read more about what are code challenge and verifier.code_challenge
is the hashed version of your code_verifier
. We will send this hash on step 2 when you're requesting an authentication from Cotter. code_challenge
is sent first so that later in step 3, Cotter's server can verify that hash(code_verifier)
is the same as code_challenge
and that you are indeed made the original request.code_challenge
and code_verifier
are correctly generated and formatted, try comparing it with codes generated here https://example-app.com/pkceβapi_key
API_KEY_ID
redirect_url
com.example.app:redirect_uri_path
or http://127.0.0.1:port
type
EMAIL
or PHONE
state
abcXYZ456
). This is not the same as your code_verifier
. You need to check if the state
included by Cotter in the redirect_url
is the same as the initial state
that you set to make sure the request is for you. Learn more about state.redirect_url
(the front part before ://
) doesn't have an underscore or other special characters. To test it out, enter your redirect_url
here: https://jsfiddle.net/omd02jn5/βredirect_url
that you specified in step 2.code_verifier
, authorization_code
and the challenge_id
to request tokens
and the user's email or phone number from Cotter's server.authorization_token
is valid for 5 minutes, and can only be used once.oauth_tokens
into your call to your backend for Login or Registration. Your backend should then verify that the access token is valid.API_KEY_ID
is exposed to anyone inspecting your code. Here are some ways to prevent abuse:state=XYZ
in the beginning of the auth flow. You should expect that Cotter's response on Step 2 when Cotter redirect back to your redirect_url
, the state is the same (state == XYZ
). This makes sure that the redirect was in response to your initial authentication request.