Auth API
Last updated: July 3, 2026
The Auth API is the OAuth flow that authenticates a ServiceUser (an end-user of the product a Space runs) through social login. When the user signs in with a provider connected to the ServiceLogin configuration (for example, Google), this API issues an accessToken and a refreshToken. The issued accessToken is a Bearer token used only for ACMA and ACDA calls; it cannot be used with CMA or CDA. No token crosses the identity boundary.
The base URL is https://auth.weegloo.com/v1, and every path lives under /spaces/{spaceId}/.... All request and response bodies are JSON. For browser apps, we recommend using the official SDK weegloo-service-user rather than handling this wire directly. This page covers the HTTP wire that the SDK calls under the hood. Refer to it when you implement the flow yourself in an environment where the SDK is unavailable (server, native, scripts).
Login flow
Login happens in four steps.
- Navigate the browser to the login entry URL (
/spaces/{spaceId}/login/oauth2/{provider}). This URL starts a redirect chain that leads to the provider (Google) login screen. - Once login finishes, Weegloo sends the browser back to the
callbackUrlconfigured in ServiceLogin, appending?exchangeToken=<one-time token>to the address. - The callback page reads the
exchangeTokenfrom the address and sends it to the token exchange endpoint (POST /spaces/{spaceId}/oauth/token), receiving anaccessTokenand arefreshTokenin response. - From then on, call ACMA and ACDA with the
accessTokenas a Bearer token. Renew it with therefreshTokenbefore it expires (expiresAt), and revoke the tokens when you log out.
The exchangeToken is one-time use. Immediately after handling the callback, remove it from the address bar at once to prevent exposure and reuse (the SDK handles this automatically).
Token model
Token exchange and renewal return a token response of the same shape. The token strings and timestamps carried in the response are the example values below; in reality they are opaque secret strings (because the flow goes through a provider login, the actual values cannot be reproduced here). The structure and fields are facts verified against the server code.
{
"accessToken": "QY3xK9pR2mLs7Vc0Zt8Nf4Wd1Bj6Hg5Ua2Ee9Ck3PoZt8Nf4Wd",
"tokenType": "Bearer",
"scope": ["APP"],
"createdAt": "2026-06-18T05:00:00.000Z",
"expiresAt": "2026-06-19T05:00:00.000Z",
"refreshToken": "Rf7Hn2Qw9Zx4Tp1Lk6Vc3Bm8Yd5Gs0Ae2Uj7Co4NeLk6Vc3Bm",
"refreshExpiresAt": "2026-06-21T05:00:00.000Z"
}| Field | Type | Description |
|---|---|---|
accessToken | string | The Bearer token used for ACMA and ACDA calls. |
tokenType | string | The token kind. Always "Bearer". |
scope | string array | The token's permission scope. A ServiceUser token is ["APP"]. |
createdAt | string (date-time) | The time the token was issued. |
expiresAt | string (date-time) | The expiration time of the accessToken. |
refreshToken | string | The token used to renew the accessToken. |
refreshExpiresAt | string (date-time) | The expiration time of the refreshToken. Three days after createdAt. |
The three tokens have the following lifetimes.
- The
exchangeTokenis one-time use and short-lived. It must be exchanged right after the callback. It is not included in the exchange response; it is delivered through the address in step 2 of the login flow. - The lifetime of the
accessTokenfollows the server configuration, and the exact expiration time is carried in the response'sexpiresAt. It is for ACMA and ACDA only. - The
refreshTokenis valid for three days after issuance (refreshExpiresAt). Calling renewal issues a newaccessTokenandrefreshTokenpair and revokes the previous pair (rotation). Each time you renew, the previousrefreshTokencan no longer be used.
API
The base URL for all four endpoints below is https://auth.weegloo.com/v1. They are covered in order: login entry (GET), token exchange (POST), token renewal (POST), and logout (DELETE).
Related documents
- ServiceUser login (concept): How to configure ServiceLogin in the content studio.
- ACMA: The API for working with member content using the issued token.
- ACDA: The read API for delivery to members.
