Getting Started

Authentication

Infinite Giving uses the OAuth2 authorization code flow for API authentication. This guide covers how to obtain credentials and authenticate your API requests.

Getting your credentials

To access the Infinite Giving API, you'll need a client ID and client secret. You can request credentials from our team.

Authorization flow overview

Redirect to authorization

Your application redirects the user to Infinite Giving's authorization endpoint.

User grants access

The user logs in and approves your application's access request.

Receive authorization code

Infinite Giving redirects back to your application with an authorization code.

Exchange for tokens

Your server exchanges the authorization code for access and refresh tokens.

Step 1: Redirect to authorization

Direct the user to the authorization endpoint with the required parameters.

https://auth.infinitegiving.com/oauth2/authorize?
  response_type=code&
  client_id=YOUR_CLIENT_ID&
  redirect_uri=https://yourapp.com/callback&
  scope=YOUR_REQUIRED_SCOPES&
  state=RANDOM_STATE_VALUE
Parameter Required Description
response_type Yes Must be code
client_id Yes Your application's client ID
redirect_uri Yes URL to redirect after authorization (must match registered URI)
scope Yes Space-separated list of requested permissions
state Recommended Random string to prevent CSRF attacks

Step 2: Handle the callback

After the user authorizes your application, they'll be redirected to your redirect_uri with an authorization code.

https://yourapp.com/callback?code=AUTHORIZATION_CODE&state=RANDOM_STATE_VALUE

Always verify that the state parameter matches the value you sent in Step 1 to prevent CSRF attacks.

Step 3: Exchange code for tokens

Exchange the authorization code for access and refresh tokens from your server.

Token request 

curl -X POST https://auth.infinitegiving.com/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "code=AUTHORIZATION_CODE" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "redirect_uri=https://yourapp.com/callback"

Token response 

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4...",
  "token_type": "Bearer",
  "expires_in": 3600
}
Field Description
access_token The token to use for API requests
refresh_token Token used to obtain new access tokens
token_type Always Bearer
expires_in Access token lifetime in seconds (typically 1 hour)

Making authenticated requests

Include your access token in the Authorization header for all API requests.

curl https://api.infinitegiving.com/v1/organizations \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Refreshing tokens

When an access token expires, use the refresh token to obtain a new one without requiring user interaction.

curl -X POST https://auth.infinitegiving.com/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token" \
  -d "refresh_token=YOUR_REFRESH_TOKEN" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"

Refresh your access token before it expires to avoid failed requests. Store the new refresh token from each response, as refresh tokens may rotate.

Error responses

Invalid authorization code 

{
  "error": "invalid_grant",
  "error_description": "The authorization code has expired or is invalid"
}

Authorization codes are single-use and expire after a short period. Restart the authorization flow if you receive this error.

Expired token 

{
  "error": "invalid_token",
  "error_description": "The access token has expired"
}

Use your refresh token to obtain a new access token.

Invalid refresh token 

{
  "error": "invalid_grant",
  "error_description": "The refresh token is invalid or has been revoked"
}

The user will need to re-authorize your application.

Best practices

Secure credential storage

  • Store credentials in environment variables or a secrets manager
  • Never commit credentials to version control
  • Use different credentials for development and production

Token management

  • Cache access tokens and reuse them until near expiration
  • Securely store refresh tokens (they grant long-lived access)
  • Handle token errors gracefully with retry logic

Request security

  • HTTPS is required for redirect URIs
  • Validate the state parameter on every callback
  • Validate SSL certificates in production
Previous
Overview
Next
Onboarding