Overview
The DRIP User Authentication system provides a secure, consent-based flow for apps to access user data. Similar to OAuth 2.0, users must explicitly authorize your app before it can access their information.Quick Flow Summary
- Your app redirects user to
https://app.drip.re/oauth/authorize?client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI
- User reviews and approves your app on the DRIP consent page
- User is redirected back to your
redirect_uri
with an authorization code:YOUR_REDIRECT_URI?code=AUTH_CODE&response_type=code
- Your app exchanges the code for the user’s DRIP ID by calling the API
- Your app can now access user data using the DRIP ID
Key Benefits:
- 🔒 Secure user consent flow
- 🎯 Works for both Realm and Multi-realm apps
- ⚡ Short-lived authorization codes (5-minute TTL)
- 🔑 Minimal data exposure (only returns dripId)
- ✅ Transparent app information for users
Authentication Flow
Implementation Guide
Prerequisites
API Client Setup
Your app must have a valid API client (either Realm or App client) with appropriate scopes
Redirect URI
Configure a redirect URI where users will be sent after authorization
Step 1: Redirect to Authorization Page
Direct users to the DRIP consent page where they can review and approve your app:What happens on the consent page:
- User must be logged into DRIP
- App information is displayed (name, logo, developer, verification status)
- User can approve or deny access
- If approved, user is redirected to your
redirect_uri
with an authorization code - If denied, user is redirected with an error parameter
Important: Do not confuse the consent page URL (
https://app.drip.re/oauth/authorize
) with the API endpoint (https://api.drip.re/api/v1/auth/oauth/authorize
). Users visit the consent page in their browser - you should never directly call the authorization API endpoint. The consent page handles calling the API internally when the user approves.Step 2: Handle the Callback
After user approval, they’ll be redirected to yourredirect_uri
with the authorization code:
Step 3: Exchange Authorization Code
Exchange the authorization code for the user’s DRIP ID:Step 4: Get Public Client Information (Optional)
You can fetch your app’s public information to display on your own consent/login page:Complete Implementation Example
Here’s a full implementation of the user authentication flow:Security Considerations
Authorization Code TTL
- Codes expire in 5 minutes
- Single-use only (invalidated after exchange)
- Cannot be reused once exchanged
- Implement retry logic for expired codes
Token Security
- Store tokens securely (never in frontend code)
- Use HTTPS for all API calls
- Validate redirect URIs
- Implement CSRF protection
User Privacy
- Minimal data exposure (only dripId)
- Explicit user consent required
- Users can revoke access anytime
- Clear privacy policy recommended
App Verification
- Display app info transparently
- Show verification status to users
- Include developer information
- Provide clear app description
Error Handling
Handle common authentication errors gracefully:Invalid Client ID
Invalid Client ID
Error:
invalid_client
Causes:- Client ID doesn’t exist
- Client has been deactivated
Code Already Used
Code Already Used
Error:
code_already_used
Causes:- Authorization code was already exchanged
- Duplicate exchange attempt
Code Expired
Code Expired
Error:
code_expired
Causes:- More than 5 minutes passed since code generation
- Network delays
Invalid Code
Invalid Code
Error:
invalid_code
Causes:- Malformed authorization code
- Code doesn’t exist
- Wrong client attempting exchange
Best Practices
User Experience
1
Clear Consent UI
Build a clear consent screen showing:
- App name and logo
- Requested permissions
- Developer information
- What data will be accessed
2
Smooth Flow
- Minimize redirects
- Show loading states
- Handle errors gracefully
- Provide clear success feedback
3
Session Management
- Store DRIP ID securely
- Implement session expiration
- Provide logout functionality
- Clear sessions on errors
Implementation Tips
Testing Your Implementation
Test Authorization Flow
Troubleshooting
Common Issues:
- Ensure your client has the correct scopes for user data access
- Verify redirect URIs match exactly (including trailing slashes)
- Check that authorization codes are exchanged within 5 minutes
- Confirm your app token has necessary permissions