Hivesigner OAuth2

What's OAuth2 ?

OAuth 2 is the industry-standard protocol for authorization. OAuth defines four roles:

Resource Owner: User Client: Application Resource Server: hived Authorization Server: Hivesigner

Implicit grant flow

The implicit grant flow basically works as follows: the user is asked to authorize the application, then the authorization server passes the access token back to the application. The implicit grant type is used for mobile apps and web applications where the client secret confidentiality is not guaranteed. This flow does not authenticate the identity of the application, and relies on the redirect URI to serve this purpose.

Step 1: Implicit authorization link

With the implicit grant type, the user is presented with an authorization link, that requests a token from the API. This link looks like this:,comment

Step 2: User authorizes application

When the user clicks the link, they must first log in to the service, to authenticate their identity (unless they are already logged in). Then they will be prompted by the service to authorize the application to post on their behalf.

Step 3: Application receives access token

If the user clicks authorize the application, the service redirects the user to the application redirect URI, which was specified during the client registration, along with an access token. The redirect would look something like this (assuming the application is ""):

Code authorization flow

For get offline permission you need to use the code authorization flow and add scope "offline" along with the other permission you need. You would send your user to a page like this:,comment,vote,comment_option,custom_json You will then receive a code which can be used to get a refresh_token. Refresh token does not expire and you can create access_token anytime with it. With the code you will need to send request to Hivesigner API at This request must be made from your server, don't make your app secret public. Also its recommended to send code and secret inside body of a POST request, instead of GET request with url param.


Scopes provide access to certain operation. The application service should only request scopes it requires.

Access Token Usage

Once the application has an access token, it may use the token to access the user's account or broadcast posting operation via the API, limited to the scope of access, until the token expires or is revoked.

Here is an example of an API request, using curl. Note that it includes the access token:

curl -H "Authorization: ACCESS_TOKEN"

Broadcast a transaction

Here is an example POST request, using access token to broadcast a vote for user:

  Authorization: ACCESS_TOKEN
  Content-Type: application/json
  Accept: application/json
  Body: {
    "operations": [
      ["vote", {
        "voter": "guest123",
        "author": "ecency",
        "permlink": "trustpilot",
        "weight": 10000


  "errors": null,
  "result": {
    "ref_block_num": 32098,
    "ref_block_prefix": 793145245,
    "expiration": "2021-05-27T05:49:36",
    "operations": [
      ["vote", {
        "voter": "guest123",
        "author": "ecency",
        "permlink": "trustpilot",
        "weight": 10000
    "extensions": [],

Last updated