# OAuth
If you integrate with our OAuth service, you can make API requests on your member's behalf, without your member having to share their credentials with you. This unlocks building a headless members area.
The first step is to configure your OAuth application client which you [manage through your organisation settings here.](https://admin.glu.io/user/select_organisation?route=admin_integrations_oauth_manage) You'll be asked to configure your redirect\_uri and give it a name, the first time you create your application you will be shown you `client_id` and `client_secret` which should be stored securely.
{% stepper %}
{% step %}
### Authorizing as a member
`GET` `{store}/oauth/authorize`
Send the user to the authorize URL on the desired store.
| Query parameter | Value |
| --------------- | ------------------------------------------------------------------------------------------------------------------ |
| `response_type` | Always `code` |
| `client_id` | The `client_id` from your application client. |
| `redirect_uri` | One of the pre-configured redirect\_uri from your application client. The user will be redirected here on success. |
| `state` | |
{% endstep %}
{% step %}
### Exchanging the code for a token
`POST` `{store}/token`
On successful authorization, the user will be redirected to the specified `redirect_uri` with a `code` and `state` parameter. You should use this endpoint to exchange the `code` for an access token.
**Body**
| Name | Type |
| --------------- | ----------------------------------------------------- |
| `client_id` | The `client_id` from your application client. |
| `client_secret` | The `client_secret` from your application client. |
| `grant_type` | Always `authorization_code` |
| `redirect_uri` | The redirect\_uri that was used to redirect the user. |
**Response**
{% tabs %}
{% tab title="200" %}
```json
{
"token_type": "Bearer",
"expires_in": 3600,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI4YjU1ZDk3MjJlMDk0ODRlZWM2ZWQ2NzVkODM1MjViMiIsImp0aSI6IjRiMTRlYTJlMDVlN2Q2NmNlNDg4Yzk4NDY0NTEyNjYxOWQzMDU0NTY1MDdiZmJmYzZkMzlhZTdlMDBjNTNmYmIwNDJlZTA2MzdjMTg0YmU4IiwiaWF0IjoxNzUwNzAxMjI0LjI5NzQ5NiwibmJmIjoxNzUwNzAxMjI0LjI5NzUwMiwiZXhwIjoxNzUwNzA0ODI0LjI3MDYzMSwic3ViIjoiZnJlZGRkZGR5eXkrbXltZW1iZXJAZ21haWwuY29tIiwic2NvcGVzIjpbXX0.hnVZ-DIdkKE_VhmyOO5B3q-ISisc1sg2IpCgXhC3X96cxen1gvrFvtQ7GOC1HdTntMzg_DdzJ2WwmmhDyUtSm57UtYtrxbe6NwSv4OiBzC6aR7idKx7XlLu9Hp1gz0XHaDFrH_V2LCZvrf1Ygr6YyNaAavr6rWLq3I3SQ9Em02TCroghf5DWK4bp9jfWygChc7PWmWCni9TTQ5mV-VZrBGTGOalWf2u6_XuY93ua-QJvyKB7Apx1NGFmAtrVXFkUM9PY8XNasCGNEx2VRocUZB_TGjcxdkN1zIavc6ec69uCWj3bMkm5A49mio00slSqH6CGs7r5xevBNovWPNMprA",
"refresh_token": "def50200181222301b6f0c1c89e6db3a5f254de1d0a5d0324921f900407e5e0371a7375de0ba305393bcad3f3c65b48e361b928b0a71a27f764c20686dfe91f6591d67bde2f6f7199a64847e775f173922651f25c44fff7a7f1a092a412a7f63535559e89e5f37ec77dbf3a16ce82639e61a4ce8b5116e69669ea42724e2f23ca1097726508e5aa401f941a1dfc28821d83ed36dec9ea1d6c8654a8cb129aed0a77634eadf27c9c7c183c6498fb874c370ca967f5d1acba69b2fbb30d2820b092d3666924edb622b3ff95577129f52929bbe84742f1487cc018f07c685c1e5c4ff3a82b8e78e5fd8ace6336acda491f208c1b5b80509902ef6399fe0090813926af2c2fb73731719ff4e4d8a8324409c1154c032b45c45c9756f3e8d65ffe8cc9ea911b69980a8ebfa26e2e2eb8f2645e34405a35d0e7dfaf1f05243c247e4dddf67187ce7b3b16787664a35c0b0e5f5a5201f73fae2fc6b28ee91fafe2166e66204be98a872956fb7a657e60c29bb37d9534353a1f7b7cd28f15521e9494fb2bd212b3ba67487c684f5d40f5d713340a828cca1553e3dcf0ddb07847983c2"
}
```
{% endtab %}
{% tab title="400" %}
```json
{
"error": "invalid_grant",
"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.",
"hint": "Authorization code has expired"
}
```
{% endtab %}
{% endtabs %}
{% endstep %}
{% step %}
### Using the access token
Include the access token when making any requests to the [Store API](/docs/api-reference/store-api.md), it is passed as the `Authorization` header with the value `BEARER {access_token}`
{% endstep %}
{% endstepper %}
***
#### Refreshing the access token
`POST` `{store}/token`
You'll want to refresh the access token periodically, to do that you can use the same token endpoint to get a new access token.
**Body**
| Name | Type |
| --------------- | ------------------------------------------------- |
| `client_id` | The `client_id` from your application client. |
| `client_secret` | The `client_secret` from your application client. |
| `grant_type` | Always `refresh_token` |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://glu.gitbook.io/docs/getting-started/authentication/oauth.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.