> ## Documentation Index
> Fetch the complete documentation index at: https://docs.codeqr.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Build your own integration

> Learn how to authenticate users with OAuth 2.0 for your CodeQR integration.

Integrations allow you to extend the capabilities of CodeQR and seamlessly connect with third-party platforms and services.

You can build your own integrations with CodeQR using our [API](/api-reference/introduction).

1. Read the documentation on how to [create links](/api-reference/endpoint/create-a-link) or [create QR Codes](/api-reference/endpoint/create-a-qrcode).
2. Learn how to [integrate CodeQR into your application](/integrations/quickstart).
3. [Reach out to us](https://codeqr.io/contact/support) to feature your integration in the integrations marketplace.

In this guide, you will learn how to create and manage integrations on CodeQR, allowing you to incorporate CodeQR's link attribution platform and QR Code management into your application.

## Integrating via OAuth 2.0 (recommended)

CodeQR supports OAuth 2.0 authentication, which is **recommended** if you build integrations extending CodeQR's functionality.

We recommend you use an OAuth client library to integrate the OAuth flow. You can find recommended libraries in a variety of programming languages [here](https://oauth.net/code/).

### Set up OAuth 2.0

Here is a step-by-step guide on how to set up OAuth 2.0 authentication with CodeQR.

<Steps>
  <Step title="Create an OAuth2 application in CodeQR">
    * Go to the [OAuth Apps tab](https://app.codeqr.io/settings/oauth-apps) in your project.
    * Click on **Create OAuth App**.
    * Fill in the required fields to create an OAuth2 application.
  </Step>

  <Step title="Redirect users to authorization URL">
    When you want to authenticate a user, you need to redirect them to the CodeQR OAuth authorization URL.

    ```
    GET https://app.codeqr.io/oauth/authorize
    ```

    Parameters:

    | Property        | Description                                                           |
    | --------------- | --------------------------------------------------------------------- |
    | `client_id`     | The client ID of your OAuth application.                              |
    | `redirect_uri`  | The URL to redirect the user to after they authorize the application. |
    | `response_type` | Expected response type. It should be `code`.                          |
    | `scope`         | A space-separated list of scopes that you want to request access to.  |
    | `state`         | The state parameter to prevent against CSRF attacks.                  |

    An example URL would look like this:

    ```
    GET https://app.codeqr.io/oauth/authorize?client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&response_type=code&scope=SOME_SCOPE&state=SOME_STATE
    ```

    <Frame>
      <img src="https://mintcdn.com/codeqr/Dit-PkrrSHQLOViA/images/oauth-consent.png?fit=max&auto=format&n=Dit-PkrrSHQLOViA&q=85&s=b3c1a5e63d9ae35a071f8cd99e30bbf7" alt="OAuth consent screen" width="1468" height="249" data-path="images/oauth-consent.png" />
    </Frame>
  </Step>

  <Step title="Exchange code for an access token">
    The `code` parameter is returned in the query string when the user is redirected back to your application. You can exchange this code for an access token by making a POST request to the CodeQR OAuth token URL.

    ```
    POST https://api.codeqr.io/oauth/token
    ```

    <Warning>
      The `Content-Type` header should be set to `application/x-www-form-urlencoded`.
    </Warning>

    Parameters:

    | Property        | Description                                                                  |
    | --------------- | ---------------------------------------------------------------------------- |
    | `code`          | The code you received when the user was redirected back to your application. |
    | `client_id`     | The client ID of your OAuth application.                                     |
    | `client_secret` | The client secret of your OAuth application.                                 |
    | `redirect_uri`  | The same redirect URI you used in the authorization URL.                     |
    | `grant_type`    | The grant type. It should be `authorization_code`.                           |

    Response:

    After a successful request, you will receive a JSON response with the access token.

    ```json theme={null}
    {
      "access_token": "codeqr_access_token_ae8ebf6f97e6200d886ef48a5...",
      "refresh_token": "7f5acfbe14bca0a20fe6e430ddb7bb494eed160bd...",
      "token_type": "Bearer",
      "expires_in": 7200,
      "scope": "projects.read,projects.write,links.read,links.write,qrcodes.read,qrcodes.write,pages.read,pages.write,tags.read,tags.write"
    }
    ```

    We recommend using the [PKCE](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce) flow for native desktop or mobile applications or single-page apps (SPAs) where the `client_secret` cannot be hidden.
  </Step>

  <Step title="Make an API request with the access token">
    Once you have obtained a valid access token, you can use it to make requests to the CodeQR API.

    Here is an example of how you can create a QR Code by passing the access token in the header: `Authorization: Bearer <ACCESS_TOKEN>`

    ```shell theme={null}
    curl --request POST \
      --url https://api.codeqr.io/qrcodes \
      --header 'Authorization: Bearer <ACCESS_TOKEN>' \
      --header 'Content-Type: application/json' \
      --data '{"url": "https://example.com"}'
    ```
  </Step>

  <Step title="Refresh the access token">
    CodeQR access tokens are short-lived, depending on the `expires_in` value (the default value is **7,200 seconds**, or **2 hours**). CodeQR will respond with `401 Unauthorized` if you try to use an expired access token.

    To refresh the access token, you need to make a POST request to the CodeQR OAuth token URL with the `refresh_token` you obtained when exchanging the code for an `access_token`.

    ```
    POST https://api.codeqr.io/oauth/token
    ```

    <Warning>
      The `Content-Type` header should be set to `application/x-www-form-urlencoded`.
    </Warning>

    Parameters:

    | Property        | Description                                                                  |
    | --------------- | ---------------------------------------------------------------------------- |
    | `client_id`     | The client ID of your OAuth application.                                     |
    | `client_secret` | The client secret of your OAuth application.                                 |
    | `grant_type`    | The grant type. It should be `refresh_token`.                                |
    | `refresh_token` | The refresh token you received when exchanging the code for an access token. |

    Response:

    After a successful request, you will receive a JSON response with the new access token.

    ```json theme={null}
    {
      "access_token": "codeqr_access_token_ae8ebf6f97e6200d886ef48a5...",
      "refresh_token": "7f5acfbe14bca0a20fe6e430ddb7bb494eed160bd...",
      "token_type": "Bearer",
      "expires_in": 7200,
      "scope": "projects.read,projects.write,links.read,links.write,qrcodes.read,qrcodes.write,pages.read,pages.write,tags.read,tags.write"
    }
    ```

    This will invalidate the old access token and refresh token.
  </Step>
</Steps>

### Scopes

You can request access to specific scopes when redirecting users to the CodeQR OAuth authorization URL. Scopes are permissions that the user needs to grant to your application.

CodeQR supports the following scopes for OAuth 2.0:

| Scope            | Description                                                         |
| ---------------- | ------------------------------------------------------------------- |
| `project.read`   | Read access to project.                                             |
| `project.write`  | Write access to project.                                            |
| `links.read`     | Read access to links.                                               |
| `links.write`    | Write access to links.                                              |
| `qrcodes.read`   | Read access to QR Codes.                                            |
| `qrcodes.write`  | Write access to QR Codes.                                           |
| `tags.read`      | Read access to tags.                                                |
| `tags.write`     | Write access to tags.                                               |
| `pages.read`     | Read access to pages.                                               |
| `pages.write`    | Write access to pages.                                              |
| `analytics.read` | Read access to analytics.                                           |
| `domains.read`   | Read access to domains.                                             |
| `domains.write`  | Write access to domains.                                            |
| `user.read`      | Read access to user information. This scope is included by default. |

## Integrating via API keys (not recommended)

CodeQR also supports API key authentication; however, it is **not recommended** for building integrations. It should only be used for internal integrations or personal projects that do not require user consent.

Learn more about [API Keys](/api-reference/tokens).