3-Legged OAuth Flow - RAPS Visual Guide

👤

User

End user with Autodesk account

🔧

Your App

Client application

🔐

Autodesk

OAuth authorization server

User Initiates Login

User clicks "Login with Autodesk" in your application

                            // Redirect to Autodesk OAuth

                            window.location = 'https://developer.api.autodesk.com/authentication/v2/authorize' +

                              '?response_type=code&client_id=YOUR_ID&redirect_uri=...'

User Authentication

User enters Autodesk credentials and grants permissions

                            // User sees Autodesk login page

                            // No code required - handled by Autodesk

Authorization Code Return

Autodesk redirects back with authorization code

                            // Your callback receives:

                            GET /callback?code=ABC123xyz...&state=security_token

Exchange Code for Token

Your server exchanges the code for access tokens

                            POST /authentication/v2/token

                              grant_type: 'authorization_code'

                              code: authCode

                              client_id: CLIENT_ID

                              client_secret: CLIENT_SECRET

Store & Use Tokens

Save tokens securely and make authenticated API calls

                            // Store in session (server-side)

                            session.accessToken = response.access_token

                            session.refreshToken = response.refresh_token

Final Access Token (JWT)

eyJhbGciOiJSUzI1NiIsImtpZCI6IjY0RE9XMnJoOE...XQ8uZjAyN2I1MGNhNDU5ODgwYjJiMGE

🚀 Skip the Complexity with RAPS CLI

# RAPS handles the entire OAuth flow automatically
$ raps auth login --3legged

# Check authentication status
$ raps auth status
✅ Authenticated | Token valid for 58 minutes