Implement the Rocketpunch OAuth 2.0 Authorization Flow
Step-by-step guide to implementing the OAuth 2.0 authorization code flow for the Rocketpunch API, from initial redirect to token exchange.
Implementing the Rocketpunch OAuth 2.0 flow takes four steps: redirect the user to Rocketpunch, receive the authorization code at your callback URL, exchange that code for an access token, and use the token to make user-scoped API calls. This guide walks through each step with working code examples.Before you start, make sure you have completed the OAuth setup — you will need your Client ID, Client Secret, and a registered redirect URI.
Never expose your Client Secret in client-side JavaScript, mobile apps, or public source code. All token exchange requests must originate from your server.
Step 1: Redirect the User to the Authorization URL
When a user wants to connect their Rocketpunch account to your app, redirect them to Rocketpunch’s authorization endpoint. Build the URL with the required query parameters and send the user there.Authorization endpoint:
https://www.rocketpunch.com/oauth/authorize
Required parameters:
Parameter
Value
Description
client_id
Your app’s Client ID
Identifies your application
redirect_uri
Your callback URL
Must match the URI registered in your app settings
response_type
code
Requests an authorization code
scope
Space-separated scope list
Permissions your app is requesting
Available scopes:
Scope
Description
profile:read
Read the user’s public profile information
profile:email
Access the user’s email address
const params = new URLSearchParams({ client_id: process.env.RP_CLIENT_ID, redirect_uri: "https://yourapp.com/auth/rocketpunch/callback", response_type: "code", scope: "profile:read profile:email",});const authorizationUrl = `https://www.rocketpunch.com/oauth/authorize?${params.toString()}`;// In an Express route handler:res.redirect(authorizationUrl);
After you redirect the user, Rocketpunch takes over. The user sees a login screen (if not already signed in) followed by a consent screen showing your app’s name and the permissions you requested.
If the user approves, Rocketpunch redirects them to your redirect_uri with an ?code= query parameter.
If the user denies access or cancels, Rocketpunch redirects to your redirect_uri with an ?error=access_denied parameter.
Your callback handler must check for both outcomes.
Rocketpunch redirects the user to your redirect_uri after the consent decision. Extract the code parameter from the query string and pass it to your token exchange logic.
The authorization code is short-lived and single-use. Your server must exchange it for an access token by making a POST request to Rocketpunch’s token endpoint.Token endpoint:
Access tokens expire after the period indicated in expires_in (in seconds). When a token expires, use the refresh_token to obtain a new access token without requiring the user to go through the consent flow again.
async function refreshAccessToken(refreshToken) { const response = await fetch("https://www.rocketpunch.com/oauth/token", { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded", }, body: new URLSearchParams({ grant_type: "refresh_token", refresh_token: refreshToken, client_id: process.env.RP_CLIENT_ID, client_secret: process.env.RP_CLIENT_SECRET, }), }); if (!response.ok) { // Refresh token may have expired — prompt the user to re-authorize throw new Error("Token refresh failed. Re-authorization required."); } return response.json();}
Proactively refresh the access token before it expires rather than waiting for a 401 Unauthorized response. Track the expires_in value and schedule a refresh a few minutes early to keep your users’ sessions seamless.
If the refresh token itself has expired or been revoked, you must redirect the user through the full authorization flow again.