Authentication with OAuth 2.0
The Cineamo API uses OAuth 2.0 for authentication. All API requests require valid access tokens.
🎯 Supported Grant Types
Cineamo supports three OAuth 2.0 grant types:
- Authorization Code Grant with PKCE - For user authentication (web/mobile apps)
- Client Credentials Grant - For server-to-server authentication
- Refresh Token Grant - For renewing expired access tokens
Note: Password Grant and Implicit Grant are not supported for security reasons.
🔐 Client Credentials Grant
Use this for server-to-server authentication (backend services, APIs, scripts).
Request
Code
Response
Code
Key Points:
- No
refresh_tokenreturned (not needed for client credentials) - Access token expires in 24 hours (86400 seconds)
- Request a new token after expiration
👤 Authorization Code Grant (PKCE)
Use this for user authentication (web apps, mobile apps, SPAs).
PKCE (Proof Key for Code Exchange) is required for security.
Step 1: Generate PKCE Values
Code
Step 2: Authorization Request
Code
Parameters:
response_type: Must becodeclient_id: Your OAuth client IDredirect_uri: Must match registered redirect URIstate: Random string for CSRF protectioncode_challenge_method: Must beS256(SHA-256)code_challenge: Base64URL-encoded SHA-256 hash
Step 3: User Authorization
User logs in and authorizes your application. On success, they're redirected to:
Code
Step 4: Token Exchange
Code
Response
Code
Key Points:
- Access token expires in 24 hours
- Refresh token expires in 2 years
- Store refresh token securely for token renewal
🔄 Refresh Token Grant
Renew expired access tokens without re-authentication.
Request
Code
Response
Code
Key Points:
- Returns new access token and new refresh token
- Old tokens are invalidated
- Refresh tokens expire after 2 years of inactivity
🎯 Using Access Tokens
Include the access token in the Authorization header:
Code
⏰ Token Expiration
| Token Type | Expiration |
|---|---|
| Access Token | 24 hours (86400 seconds) |
| Refresh Token | 2 years |
| Authorization Code | 10 minutes |
Best Practice: Refresh tokens proactively before expiration (e.g., at 23 hours).
🔑 Obtaining Credentials
Contact your Cineamo account manager to receive:
- Client ID - Public identifier for your application
- Client Secret - Confidential secret (never expose publicly)
- Redirect URI - Authorized callback URL (for authorization code flow)
Environments:
- Production:
https://api.cineamo.com - Staging:
https://api.staging.cineamo.com
🛡️ Security Best Practices
DO ✅
- Use HTTPS for all requests (required)
- Store secrets securely (environment variables, secrets manager)
- Use PKCE for all authorization code flows
- Validate
stateparameter to prevent CSRF attacks - Rotate credentials periodically
- Monitor token usage for anomalies
DON'T ❌
- Expose credentials in client-side code or repositories
- Share credentials between different applications
- Hardcode credentials in source code
- Reuse authorization codes (single-use only)
- Store tokens in localStorage (use secure storage)
🚨 Error Responses
OAuth 2.0 errors follow this format:
Code
Common Errors
| Error | Description | Solution |
|---|---|---|
invalid_client | Invalid client credentials | Verify client_id and client_secret |
invalid_grant | Invalid/expired authorization code or refresh token | Request new authorization |
unauthorized_client | Client not authorized for this grant type | Contact Cineamo support |
invalid_request | Missing required parameters | Check request format |
access_denied | User denied authorization | User must approve access |
📋 Quick Reference
Client Credentials Flow
Code
Authorization Code Flow
Code
Refresh Flow
Code
📚 See Also
- PHP Array Parameters - URL parameter syntax
- HAL Responses - Response format
- Fetching Showtimes - Using authentication in practice
- API Reference - Complete endpoint documentation
OAuth 2.0 Spec: RFC 6749 PKCE Spec: RFC 7636

