OAuth Quickstart
Get up and running with Loopwise OAuth 2.0 in minutes.
This guide walks you through the complete OAuth 2.0 integration flow with Loopwise — from registering a client to making your first authenticated API request.
Prerequisites
- A Loopwise school with admin access
- A server-side application that can make HTTPS requests
- A publicly accessible redirect URI
Overview
Loopwise uses the Authorization Code flow with PKCE (RFC 7636):
For a detailed explanation of each step, see Authorization Code Flow.
Step 1: Register your application
You can register an OAuth application in two ways:
Option A: Admin UI
Navigate to your school's admin panel at Settings > OAuth Applications and create a new application. You'll receive a client_id and client_secret.
Option B: Dynamic Client Registration
Send a POST request to the registration endpoint:
curl -X POST https://your-school.loopwise.com/api/oauth/register \
-H "Content-Type: application/json" \
-d '{
"client_name": "My Integration",
"redirect_uris": ["https://myapp.com/callback"],
"grant_types": ["authorization_code", "refresh_token"],
"response_types": ["code"],
"token_endpoint_auth_method": "none"
}'The response includes your client_id:
{
"client_id": "abc123...",
"client_name": "My Integration",
"redirect_uris": ["https://myapp.com/callback"],
"grant_types": ["authorization_code", "refresh_token"],
"response_types": ["code"],
"token_endpoint_auth_method": "none",
"scope": "read write courses:read courses:write students:read students:write analytics:read curriculum:read curriculum:write orders:read school:read"
}Step 2: Redirect the user to authorize
Build the authorization URL and redirect the user's browser:
https://your-school.loopwise.com/oauth/authorize?
response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=https://myapp.com/callback
&scope=read+courses:read+students:read
&state=RANDOM_STATE_VALUE
&code_challenge=PKCE_CHALLENGE
&code_challenge_method=S256The user will see a consent screen showing the requested scopes. The token will be scoped to the school where your OAuth application is registered.
Step 3: Exchange the code for tokens
After the user authorizes, Loopwise redirects to your redirect_uri with a code parameter. Exchange it for tokens:
curl -X POST https://your-school.loopwise.com/api/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "code=AUTHORIZATION_CODE" \
-d "redirect_uri=https://myapp.com/callback" \
-d "client_id=YOUR_CLIENT_ID" \
-d "code_verifier=PKCE_VERIFIER"Response:
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 7200,
"refresh_token": "def456...",
"scope": "read courses:read students:read",
"school_id": 42,
"school_subdomain": "demo"
}Step 4: Make API requests
Use the access token in the Authorization header:
curl https://your-school.loopwise.com/api/v1/courses \
-H "Authorization: Bearer ACCESS_TOKEN"Refreshing tokens
Access tokens expire after 2 hours. Use the refresh token to get a new one:
curl -X POST https://your-school.loopwise.com/api/oauth/token \
-d "grant_type=refresh_token" \
-d "refresh_token=REFRESH_TOKEN" \
-d "client_id=YOUR_CLIENT_ID"Next steps
- Available scopes — see what data you can access
- Authorization Code Flow — understand the flow in detail
- Token Endpoints — full token endpoint reference