This section explains how authentication works when interacting with the Livepush REST API and how to obtain and use access tokens securely.
Authentication with the Livepush API is based on OAuth 2.0 and requires a registered OAuth application.
Getting started with the Livepush REST API begins with a client request that is authenticated using OAuth credentials.
The authentication process involves:
- Registering an OAuth application to obtain a Client ID and Client Secret
- Requesting an access token with specific scopes
- Sending the access token with each API request to authenticate the user
Only authenticated requests are allowed to interact with Livepush API resources.
The only supported method of API authentication is OAuth 2.0.
The Livepush REST API is built on top of the standard OAuth 2.0 protocol and follows the RFC 6749 specification. This makes the API compatible with a wide range of OAuth libraries and SDKs across different programming languages and frameworks.
A detailed walkthrough of the OAuth authorization flow is provided in the Getting Access Tokens section below.
Before making authenticated API requests, you must register an OAuth application in the Livepush Developer Console.
Registering an OAuth application allows you to generate Client API Keys that are required for authentication.
- Log in to the Livepush Developer Console
- Navigate to Apps
- Click New App from the action bar
- Enter a name for your application and click Create App
- Select the newly created app and click Manage App
- Copy the Client ID and Client Secret and store them securely
Always keep your Client ID and Client Secret confidential. Do not expose them in public repositories, client-side code, or public forums.
Access tokens are issued with specific scopes that define what actions an application is allowed to perform.
Scopes limit the permissions of access tokens so that applications can only access the resources they are explicitly authorized for.
profile.read
Read user profile informationprofile.write
Update or modify user profile informationsubscriptions.read
Read user subscription detailsauth.modify
Modify user authentication detailsbilling.read
Read billing data such as invoices and paymentsteams.read
Read team-related datateams.write
Modify team-related data
regions.read
Retrieve the list of available regionsstreams.read
Read user stream datastreams.write
Update existing stream datastreams.create
Create or deploy new streamsstreams.delete
Delete or destroy streamsstreams.videos.read
Read stream video datastreams.videos.write
Update or delete stream video datastreams.destinations.read
Read and list stream destinations configured for a streamstreams.destinations.write
Create, update, and remove stream destinations for a stream
Access tokens are required for all authenticated API requests.
The Livepush API server validates the access token included in each request to identify the user and verify permissions.
To obtain an access token, your application must complete the OAuth Authorization Code flow.
A typical authorization flow follows these steps:
- The client application redirects the user to the Livepush OAuth authorization page
- The user reviews and approves the requested permissions
- The user is redirected back to the client application's configured redirect URI
- The redirect URL includes a query parameter
code - The client application exchanges the authorization code for an access token
- The API returns an access token and refresh token
If the user denies authorization, the redirect URL will contain an error query parameter instead of code.
Send the user to the OAuth authorization endpoint:
GET https://id.livepush.io/oauth2/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=code&scope=<comma_separated_scopes>
Exchange the authorization code for an access token:
GET https://tokens.livepush.io/oauth2/access_token?code=<code>&client_id=<client_id>&client_secret=<client_secret>&grant_type=authorization_code&redirect_uri=<redirect_uri>
If the authorization code is valid, the API responds with the following payload:
{ "access_token": "uatin87h3m1opd908pa9sdxxxx", "refresh_token": "rftkljosua2in87h3m1opd90xxxxx", "token_type": "access_token", "expires_in": 3600 }
access_token
Short-lived token used to authenticate API requestsrefresh_token
Long-lived token used to obtain new access tokenstoken_type
Alwaysaccess_tokenexpires_in
Token expiration time in seconds
Always store access tokens securely and avoid exposing them in client-side applications or public environments.