Redirecting users back to your application with an authorisation code

Redirecting users back to your application with an authorisation code

When users authorise your app and interact with the ApprovalMax Public API, the API will redirect them back to the redirect_uri that you have specified. During this redirection process, certain parameters will be included in the URL:

  • code: represents a temporary authorisation code. It is unique and can only be exchanged once. The code is valid for a limited time, and expiring 5 minutes after it was issued. You should capture this code and use it to obtain an access token for further API interactions.

  • state: serves as a security measure to protect against Cross-Site Request Forgery (CSRF) attacks. When you initiate the authorisation process, you include a state value. During the redirection back to your app, the API will include the same state value. By comparing the returned state value with the one you initially provided, you can ensure that the authorisation request was initiated by your app and not by a malicious third party.

  • If any errors occur, or the user denies the request, the ApprovalMax Public API will redirect back to your redirect_uri with an "error" answer.



  1. GET /callbackUrl
  2. ?code=DB8B007567145099751604AA22EB6D1029F36391A5264EBC5D44CC26650FDC8C 
  3. &scope=https%3A%2F%2Fwww.approvalmax.com%2Fscopes%2Fpublic_api%20offline_access
  4. &state=irtCNYKKh5OkUeGkubeVoI8wvvHGqr
  5. &session_state=XArr8dlww7lJZ_UMDKxnUK8px5InpQpTgMGFlFyU7H8.8ED65A9A53326EACCB42CC1FEE5900F8

    • Related Articles

    • How to exchange an authorisation code for an access token

      Once you have obtained the authorisation code from the user, you can proceed to exchange it for an access token. When making this exchange, it is recommended to request the "offline_access" scope, which allows you to receive a refresh token in ...

    • How to grant access to an Organisation via the ApprovalMax Public API

      This is how you grant access to an Organisation via the ApprovalMax API: 1. Initiate a user authorisation: generate an URL with the necessary parameters to direct the Account Owner / Account Manager / Organisation Administrator to the ApprovalMax ...

    • Prerequisites for using the Public API

      Before proceeding with the authorisation process for the ApprovalMax Public API feature, there are certain prerequisites that need to be met. These include: 1. Granting access to the Developer Portal: in order to access the Developer Portal and ...

    • How to initiate an authorisation process

      To initiate the authorisation process, you need to create a URL with the necessary parameters that will redirect the user to the ApprovalMax system for authorisation. When incorporating values that should be added as parameters into the URL, the ...

    • How to call the API

      Please refer to the Swagger page or the list of available endpoints to find endpoints and their data models. To successfully make API calls, include the following headers in your requests to authenticate and communicate with the API correctly: ...