{{currentMessage.message}} {{currentMessage.status}}

User Authentication 2.0 (for Wiki)

Generating access tokens...

This is a sample implementation of the User Authentication service for Bungie.net. See the Official Help Article for more information.

Pre-Setup: Choose OAuth Client Type

This setting has to match what was set in your application settings. This is set when you create your app, but this demo allows you to switch between them to see the differences in the implementation.

OAuth Client Type

Step 1: Ask the user to Authorize your app

This is the Authorization URL found under each API Key after you have setup your Redirect URL.

Example Authorization URL

Authorize App

Step 1: Ask the user to Authorize your app (via a new tab)

This is the Authorization URL found under each API Key after you have setup your Redirect URL.

This method opens the Authorization URL in a new tab and listens for changes to the Local Storage where the tokens are stored.

Example Authorization URL



// App Window
localStorage.setItem('tabbed', true);
window.addEventListener('storage', function(e) {
    if(localStorage.getItem('tabbed') && localStorage.getItem('tabbed')) {
        // Reload authorization code from LocalStorage

// Authorize/Redirect Window
if (localStorage.getItem('tabbed')) {
    // Save authorization code to LocalStorage and close the tab
Authorize App

Step 2: Send Authorization Code to the GetOAuthAccessToken endpoint.

Once the user has approved your App, Bungie.net will redirect them back to the Redirect URL you specified in your Application Settings with ?code={your-authentication-code} appended to end of the url. From this point on, you no longer need user interaction so this should all be done automatically.

Generate Tokens





Step 3: Test Authenticated APIs

Make sure to store the Access Token and Refresh Token somewhere safe. In the case of this Angular app, they have been stored in Local Storage.

  • Logged in as {{username}}.
  • Not currently logged in.
  • The Access Token .
  • The Refresh Token .
  • There is no Refresh Token when using the Public OAuth Client Type.





Step 4: Renew Access Tokens (Confidential Only)

Access Tokens only last for one hour so your App needs to make a request to GetOAuthAccessToken to renew it using your Refresh Token. Refresh Tokens last up to 90 days and get renewed for another 90 days every time you call this endpoint up to a maximum of 1 year at which point all your tokens will be voided and your user is sent back to Step 1.

Renew Access Tokens




Like the stuff that I do? Become a Patron Buy me a Ko-fi