Authenticating with the Meetup API

The Meetup API provides support for OAuth 2, the superseding specification for OAuth 1, authentication. This protocol requires all client communication with the Meetup servers to use HTTPS. If your application does not, our servers will response with a 400 error and a message asking you to do so.

We provide implementations of both the server and implicit protocol flows. We provide the following endpoints for both where necessary.

Before you can use OAuth 2 for user authorization, you need to either register a new OAuth consumer or add a redirect_uri to your existing consumer by clicking the edit link next to you consumer's listing. The redirect_uri you register for a given client will be used to validate future oauth2 requests. Any redirect_uri parameter that starts with the registered uri will be considered valid. For instance if you register the uri http://foo.com, http://foo.com/authed will be considered valid while http://bar.foo.com will not.

OAuth 2 consumers are also valid OAuth 1.0a consumers.

Server Flow ¶

This flow is suitable for applications that are capable of securely storing consumer secrets.

Requesting Authorization ¶

https://secure.meetup.com/oauth2/authorize
    ?client_id=YOUR_CONSUMER_KEY
    &response_type=code
    &redirect_uri=YOUR_CONSUMER_REDIRECT_URI

Requesting Access Token ¶

https://secure.meetup.com/oauth2/access

client_id=YOUR_CONSUMER_KEY
&client_secret=YOUR_CONSUMER_SECRET
&grant_type=authorization_code
&redirect_uri=SAME_REDIRECT_URI_USED_FOR_PREVIOUS_STEP
&code=CODE_YOU_RECEIVED_FROM_THE_AUTHORIZATION_RESPONSE

{
  "access_token":"ACCESS_TOKEN_TO_STORE",
  "token_type":"bearer",
  "expires_in":3600,
  "refresh_token":"TOKEN_USED_TO_REFRESH_AUTHORIZATION"
}

Make authenticated requests

Implicit Flow ¶

This flow is suitable for JavaScript based browser clients.

Requesting Authorization and Receiving Access Token ¶

https://secure.meetup.com/oauth2/authorize
   ?client_id=YOUR_CONSUMER_KEY
   &response_type=token
   &redirect_uri=YOUR_CONSUMER_REDIRECT_URI

Make authenticated requests

Refreshing Your Access Token ¶

Once received, an access_token is only valid for use for one hour. This is indicated in the expires_in response parameter as seconds. You can refresh the access_token at any time and without involving the user by making a token refresh request. Note, this requires client credentials which users of the implicit flow should not be storing.

Refreshing Token ¶

https://secure.meetup.com/oauth2/access

client_id=YOUR_CONSUMER_KEY
&client_secret=YOUR_CONSUMER_SECRET
&grant_type=refresh_token
&refresh_token=REFRESH_TOKEN_YOU_RECEIVED_FROM_ACCESS_RESPONSE

{
  "access_token":"ACCESS_TOKEN_TO_STORE",
  "token_type": "bearer",
  "expires_in":3600,
  "refresh_token":"TOKEN_USED_TO_REFRESH_AUTHORIZATION"
}

Make authenticated requests

Making Authenticated Requests ¶

After successfully obtaining member authorization and an access_token you may now make authenticated API requests using HTTPS by supplying the token value in an Authorization header prefixed with bearer and a space.

curl -H "Authorization: Bearer {access_token}" https://api.meetup.com/2/member/self/

curl "https://api.meetup.com/2/member/self/?access_token={access_token}"

User Deauthorization ¶

At any time, a user may choose to revoke access to your application here. This will invalidate any access credentials your application may have been provided for that user.

In order to re-obtain authorization, your application will need to re-request authorization from the user.

Access tokens received from the implicit oauth2 flow will also expire, regardless of the ageless scope, when the user logs out of meetup.com.

Mobile-Optimized Authorization Display ¶

In some cases, you may want to display Meetup's authorization page in a more compact way for mobile devices or a JavaScript popup window. For these cases just append the query parameter set_mobile with a value of on.

User signup ¶

Besides asking the user to log in or to authorize your application, a user may be asked to create an account if they are not already a member. If they choose to do so through they are sent an email verification link which. Once verified, if you are using the server flow, Meetup will redirect the user to your application with the user granted authorization.

If you are implementing an implicit client, you should be aware of this in your design. Typically these clients will open a popup window to display the Meetup login and authorization forms. If the user chooses to create an account through Meetup, after the verification step, the user will only be sent to meetup.com and not redirected to your app which, by that time will most likely have lost the local state need to handle in the incoming request in a new window.

Member registration as part of an OAuth flow can be helpful if the member wishing to log into your application is not a member on Meetup. It can also add complexity. Applications may opt out of registration by providing an additional parameter named suppress, who's value is set to reg. This will have the effect of suppressing a link to register for a new Meetup account if your application user is not already a member on Meetup. You should be clear in any of your application's interstitial views prior to redirecting your user to Meetup that your application requires an account on meetup.com.

Permission Scopes ¶

OAuth 2 introduces the concept of access scopes which further restrict access of a consumer to a Meetup user's data. All o-authorized clients and API keys are implicitly provided the basic scope. We offer an additional scope, messaging, which enables Members and Organizers to send messages, preferences permitting, to one another. This feature is available for both OAuth 1.0a and OAuth 2 clients but not API key-based authentication.

To request this additional scope, pass a value of one or more scope names using + space encoding in the scope request parameter to the end point for obtaining a request token in OAuth 1.0a, https://api.meetup.com/oauth/request/, and the endpoint for obtaining authorization in OAuth 2, https://secure.meetup.com/oauth2/authorize.

Below is a table of the available Meetup API scopes names an their associated permissions.

Note, when making a request you should be able to see which scopes have been enabled and are required using in the following headers

X-OAuth-Scopes: basic, reporting
X-Accepted-OAuth-Scopes: basic, reporting

You should also be able to see which scopes are required in the method documentation.

Additional OAuth 2 Notes ¶

At this time, there is a proposal for access tokens to be associated with a token_type which determines how authenticated requests provide the access_token parameter. The two which are documented are bearer and mac, both of which are still both in early draft phases of specification. In the future, the Meetup API may require either of these in place of simply appending the access_token to a request. Application developers should be aware of this and plan accordingly.

The Meetup API supports authentication of third-party applications using the OAuth protocol. This allows your application to access a user's data and RSVP to events on behalf of the user (after they have explicitly granted permission). If you would like to set up an OAuth consumer to use for your application, you can create one here. The procedure to making requests with OAuth is as follows:

• Fetch a request token, by using the request token URL: https://api.meetup.com/oauth/request/ signed with your consumer credentials. You must include an oauth_callback parameter. Set it to URL that the user will be redirected to after authorizing the application, or oob for out-of-band authentication. The response will include a key and secret for a request token.
• Redirect the user to the authorization url:
  https://secure.meetup.com/authorize/?oauth_token=request_token_key.
• After authorizing, the user is redirected to your callback url with the oauth_token and an oauth_verifier parameter that your application will need acquire an access token. For out-of-band authorization, the verifier is displayed as a "pin" for the user to enter into your application.
• Fetch an access token using the access token URL: https://api.meetup.com/oauth/access/. If the user has chosen to allow the application and a correct oauth_verifier parameter is supplied, the request will return an access token key and secret which can be used for subsequent requests.
• Make API calls as normal - but with the necessary OAuth parameters or headers added to the request. Meetup users can see a list of applications they've authorized in their account settings page, and choose to remove an application. After a user chooses to remove an application, the access token will expire and any requests made with the token will fail. The user will need to re-authorize the application in order to allow access to continue with a new token.

Signatures are used to ensure the identity of the consumer application. Currently, the Meetup implementation of OAuth supports plaintext and HMAC_SHA1 as signature methods. For the URL portion of the signature base string, use the following values:

OAuth Authentication ¶

Endpoint: https://secure.meetup.com/authenticate/?oauth_token=request_token_key

In addition to the standard OAuth 1.0a authorization flow, we support an authentication endpoint for sites that wish to use Meetup to sign in users. Under certain conditions this endpoint will immediately redirect back to the callback URL:

• The user is already logged in to Meetup, and
• The user has already authorized your application and that authorization has not been revoked, and
• The provided request token is valid

When these conditions are not satisfied the authentication endpoint behaves the same as the authorization endpoint, sending the user to the sign in or authorization page as appropriate.

API Request Signing ¶

OAuth requests must also satisfy the following requirements:

• Include a timestamp (oauth_timestamp) which must match to within a 5 minute window of the server time, expressed in the number of seconds since January 1, 1970 00:00:00 GMT.
• Include a nonce (oauth_nonce) which is a unique, randomly generated number that is specific to this request.
• Include the consumer key (oauth_consumer_key) which is used to identify the application making the request.
• Include the signature method (oauth_signature_method) and signature (oauth_signature) which are cryptographically generated digests of the resource URL, the parameters, the consumer secret, and the nonce + timestamp values.

This is the easist method to get started using the API. Simply access you API Key and append it to any request. The request's authorization will be based on the owner's key.