This article will help you get familiar with Oauth 2.0


OAuth 2.0 stands for "Open Authorization", a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It works by delegating user authentication to the service that hosts a user account and authorizing third-party applications to access that user account.

It provides consented access and restricts actions of what the client app can perform on resources on behalf of the user, without ever sharing the user's credentials. It is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user’s data.

It uses Access Tokens. An Access Token is a piece of data which is sent in an HTTP Authorization request header. that represents the authorization to access resources on behalf of the end-user.

Why use OAuth2?

While building your app, you may want to access data about ItsaCheckmate locations, such as their order history or current menu. With ItsaCheckmate REST APIs, your app can easily access data about locations and their menus.

Considering the sensitivity of location data, we at ItsaCheckmate have implemented the OAuth 2.0 security framework. When a user selects and installs your ordering platform from ItsaCheckmate Marketplace, we use OAuth 2.0 to first secure the communication between your app and the location, and then give your app the necessary access to location data.

While using OAuth 2.0 for ItsaCheckmate, we add another level of authorization which is based on a location. This way the access token you generate will have access to the resources for that location only. When making an authorization request to ItsaCheckmate your application server must send the location_id parameter i the request. For more details on authorization request, please check Authorization Request

Before your application can access private data using ItsaCheckmate API, it must obtain an access token that grants access to that API. A single access token can grant varying degrees of access to multiple APIs. A variable parameter called scope controls the set of resources and operations that an access token permits. During the access-token request, your application sends one or more values in the scope parameter.