跳转到主要内容

Important Security Statement

Security first principle: When developing and deploying third-party applications, security is the most important consideration. You must strictly follow the security principles below to ensure the safety of user data and the authorization process.
  1. Never expose client_secret in frontend JavaScript code
  2. The OAuth authorization code to token exchange must be handled on the server side
  3. All access to protected user resources must go through backend API proxying
  4. All OAuth communication must be protected using HTTPS
Violating any of the above security principles may result in serious security vulnerabilities!

📋 Table of Contents

  1. Overview
  2. Getting Started
  3. OAuth2 Authorization Flow
  4. API Reference
  5. SDK and Code Examples
  6. Security Best Practices
  7. FAQ
  8. Technical Support

Overview

We provide an open API based on the OAuth2 standard, allowing third-party applications to securely access users’ basic information and account balance. Through our OAuth2 service, your application can:
  • 🚀 One-click login: Users do not need to register again, login automatically grants authorization for a truly seamless experience
  • 👤 Get user info: Access users’ basic profile (username, email, etc.)
  • 💰 View account balance: Get users’ account balance in real time
  • 🔄 Top-up redirect: Guide users to our top-up page for account recharge
  • 🔐 Automatic token refresh: Built-in refresh token mechanism for seamless token renewal, improving user experience

Getting Started

1. Register a Developer Account

First, you need to register a developer account in our system.

2. Create an OAuth Application

Create your OAuth application in the developer console:
API call example
Example response:
Important Security Reminder:
  • client_id can be used on the frontend (public information)
  • client_secret can only be used on the server side and must never be exposed to the browser
  • Store client_secret in environment variables; do not hardcode it in your code

3. Configure Redirect URI

Make sure your redirect URI meets the following requirements:
  • Uses HTTPS protocol (for production)
  • Points to your server endpoint (not a frontend page)
  • The domain is registered and accessible
  • The path is specific to the API endpoint handling the callback

OAuth2 Authorization Flow

Secure Flow Diagram

Step-by-step Instructions

Step 1: Guide User to Authorize

Add a login button on your frontend page. When clicked, redirect to your server-side authorization endpoint:
Frontend code - only responsible for redirecting

Step 2: Server-side Authorization Handler

Implement the authorization handler on your server:
Server-side code

Step 3: Handle Authorization Callback (Server-side)

Server-side authorization callback handler

Step 4: Frontend Fetches User Info

Frontend fetches user info via API proxy
Server-side API proxy

API Reference

1. Authorization Endpoint

GET /api/oauth2/authorize Guides the user through OAuth2 authorization. Parameters: Security requirements:
  • redirect_uri must exactly match the address registered
  • state must be a random string generated server-side
  • HTTPS must be used (in production)
Scope explanation:
  • profile: Access user’s basic info (username, email)
  • balance: Access user’s account balance

2. Token Endpoint

POST /api/oauth2/token
Security Warning: This endpoint must only be called from the server side, never from the frontend!
Used for two scenarios:
  1. Exchange authorization code for access token
  2. Use refresh token to get a new access token
Authorization code grant parameters: Refresh token grant parameters: Example response:

3. User Info Endpoint

GET /api/oauth2/userinfo Get user’s basic info and account balance. Request header:
header
Example response:
response

SDK and Code Examples

JavaScript SDK

We provide a complete JavaScript SDK you can use directly:

OAuth Callback Page

Create a /oauth/callback.html file:

Node.js Backend Example

For better security, it is recommended to handle client_secret on the backend:

Security Best Practices

1. Client Secret Protection

  • ✅ Recommended: Store client_secret on the backend server
  • ❌ Avoid: Exposing client_secret in frontend JavaScript

2. State Parameter Validation

3. HTTPS Usage

  • Must use HTTPS in production
  • Callback URI must use HTTPS
  • All API requests use HTTPS

4. Token Secure Storage

5. Error Handling

FAQ

Q1: How to achieve a true one-click login experience?

A: Just add the auto_authorize=true parameter to the authorization URL. After the user logs in, authorization will be granted automatically, with no extra confirmation step:

Q2: Will tokens refresh automatically?

A: Yes, our SDK has built-in automatic token refresh:
  • Access token: valid for 2 hours, auto-refresh 5 minutes before expiry
  • Refresh token: valid for 30 days, used to obtain new access tokens
  • Seamless refresh: All API calls will automatically check and refresh expired tokens
  • Retry on failure: If the API returns a 401 error, it will automatically try to refresh the token and retry
Only if the refresh token also expires does the user need to log in again.

Q3: What user info can I get?

A: According to the authorized scope, you can get:
  • profile scope: username, email
  • balance scope: account balance info

Q4: How do I test OAuth integration?

A:
  1. Use HTTP localhost in development for testing
  2. Use our provided test tools to verify the authorization flow
  3. Check network requests in your browser’s developer tools

Q5: Which programming languages are supported?

A: Our OAuth2 API is standard and supports all major programming languages:
  • JavaScript/Node.js
  • Python
  • PHP
  • Java
  • C#/.NET
  • Go
  • Ruby

Q6: How can a user revoke authorization?

A: Users can revoke third-party app authorization in our User Center > Authorization Management page.

Last updated: 2026-06-01