OAuth2 Access (For Third-Party Applications)

AskFRED supports OAuth2 for third-party applications that need to access the API on behalf of AskFRED users. This uses the industry-standard Authorization Code grant type.

​

If you are building an application that integrates with AskFRED, OAuth2 allows your users to securely authorize your app to access their data without sharing their AskFRED credentials.

1. You register your application with AskFRED to receive a Client ID and Client Secret.

2. Your app redirects users to AskFRED to log in and approve access.

3. AskFRED redirects back to your app with an authorization code.

4. Your app exchanges the code for an access token and refresh token.

5. Your app uses the access token to make API requests on behalf of the user.

Contact AskFRED support to register your application. You will need to provide:

- Application Name — A user-facing name for your app (e.g., "My Fencing Results").

- Redirect URI — The URL in your app where AskFRED will send users after they approve access (e.g., https://yourapp.com/callback). This must use HTTPS in production.

​

You will receive:

- Client ID (client_id) — A public identifier for your app.

- Client Secret (client_secret) — A private key. Keep this secure and never expose it in client-side code.

​AskFRED uses a standard oAuth2 authorization scheme using the following URL:
​

We recommend using an existing oAuth2 library to facilitate the handshake. Otherwise, please find an existing DIY guide. We use the standard URL format for this process.

The final successful payload after the full handshake will look like this:
​

- access_token — Use this to make API requests. Expires after **7 days**.

- refresh_token — Use this to get a new access token when the current one expires.

Include the access token in the `Authorization` header, just like a standard API key:

Example:
​

Access tokens expire after 7 days. Use the refresh token to get a new one without requiring the user to re-authorize:

​

Request Body:

| Parameter | Required | Description |

|-----------------|----------|--------------------------------------------------|

| grant_type | Yes | Must be refresh_token |

| refresh_token | Yes | The refresh token from the original token response |

| client_id | Yes | Your application's Client ID |

| client_secret | Yes | Your application's Client Secret |

Example:

The response returns a new access_token and refresh_token. Replace the old tokens with the new ones.

If a user wants to disconnect your app, you can revoke their token:

Request Body:

| Parameter | Required | Description |

|-----------------|----------|--------------------------------------------------|

| token | Yes | The access token or refresh token to revoke |

| client_id | Yes | Your application's Client ID |

| client_secret | Yes | Your application's Client Secret |

​

| HTTP Status | Meaning |

|-------------|------------------------------------------------------------|

| 401 | Token is missing, expired, or revoked. Refresh or re-authorize. |

| 429 | Rate limit exceeded. See rate limiting rules in the API Access article. |

​

- Never expose your Client Secret in client-side code (JavaScript, mobile apps). Keep it on your server.

- Always use HTTPS for your redirect URI in production.

- Store tokens securely on your server. Treat them like passwords.

- Refresh tokens proactively before they expire to avoid interrupting your users.

- Revoke tokens when a user disconnects your app or when tokens are no longer needed.