In order to authenticate a member with their credentials, you must use the standard OAuth 2.0 Authorization Code Flow. This process involves you sending your users to a Daxko login form, and we will redirect back to your site with an authorization code that can be used to make server to server api calls.

Step 1: Settings (one-time setup)

You must first configure settings to enable the authentication form for your api username before using the form using the Save member OAuth2 settings API call.

  • valid_redirect_uris is a required list of URLs on YOUR site that Daxko can redirect to after a successful authentication of a member.
  • If you enter a non-blank value for links.sign_up.url and links.forgot_password.url, then we will render a link on our form that links to your site so that you can handle the sign up and/or forgot password flow and control that experience.


PUT /v3/partners/oauth2/members/settings
    "settings": {
        "valid_redirect_uris": [
        "links": {
            "sign_up": {
                "url": ""
            "forgot_password": {
                "url": ""

Step 2: Build Auth Form URL

In your code, build a URL using the format below and redirect your user to Daxko Operations:
  &redirect_uri= is the production Daxko Operations site and is the URL you should use when you go live. If you are testing with a non-production Daxko Operations site/api, then you’ll need to use one of the following URLs:,, or depending on your desired environment.

Explanation of parameters:

  • response_type=code - This tells Daxko that your application is initiating the authorization code flow.
  • client_id - The api username provided by Daxko. This is the standard parameter name specified by OAuth - do not confuse this with the Daxko Operations integer client id.
  • redirect_uri - Tells Daxko where to send the user back to after they approve the request. NOTE: This must be configured first in Step 1.
  • scope - One or more space-separated strings indicating which permissions the application is requesting. client:NNNN says that you’re requesting a login for for Daxko Operations client NNNN where NNNN is an integer such as 9991. member:basic_info says that you’re requesting the member’s basic information (including member id).
  • state - Your application generates a random string and includes it in the request. You should then check that the same value is returned after the user authorizes the app. This is used to prevent CSRF attacks.

When the user reaches this page, they will be shown a login screen.

Step 3: Redirect Back to Your Site

When the login is successful, Daxko Operations will redirect back to your site (using the redirect_uri specified in Step 2) with additional parameters in the URL.

Daxko Operations redirects the user to:

The code expires in 10 minutes.

You should validate that the state value is the same value that you passed in Step 2 and throw an error on your site if they don’t match (this protects against Cross-site request forgery attacks).

Step 4: Exchange Auth Code for Access Token

Use the code from Step 3 value to make a secure API call from your server (where the API credentials are securely stored) to get an access_token for this member.

You need to make an API call to the /v3/partners/oauth2/members/token endpoint using these parameters:

OAuth2 parameter name Description Example
grant_type OAuth grant type always authorization_code
client_id Your Daxko API username daxko_api_user
client_secret Your Daxko API password d9a2652cf96d734661c10d5ff2f8061f
code The code in the query string from Step 3 haOFJDr87EaP0d0tllfL0MHsVfIvJTHaOPPaTbixRXw
redirect_uri The exact redirect_uri you used in step 2

You’ll need to include your refresh_token in the Authorization header as in the example below for this call.

An example curl request to get an access token for this member would be:

curl -XPOST {base_url}/v3/partners/oauth2/members/token \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
-F "grant_type=authorization_code" \
-F "client_id=daxko_api_user" \
-F "client_secret=d9a2652cf96d734661c10d5ff2f8061f" \
-F "code=haOFJDr87EaP0d0tllfL0MHsVfIvJTHaOPPaTbixRXw" |
-F "redirect_uri=" \


  "access_token": "ayJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ...",
  "expires_in": "600",
  "token_type": "bearer"

This access token expires in 10 minutes.

Once you exchange the code for the access token, the code will no longer be valid.

Step 4: Get Member Info

You now have an access_token that is scoped to this member. The only call you currently make with this access_token is Get my member info using the access_token value in the header such as: Bearer ayJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ...

curl -XGET {base_url}/v3/members/me \
-H "Authorization: Bearer ayJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ..." 


  "member_id": "400007995-00",
  "member_unit_id": "400007995",
  "name": {
    "first_name": "Erika",
    "last_name": "Doe"

Now that you have member_id and member_unit_id, you can use these ids to make other API calls on behalf of this user (using the main access_token that you normally use - you may discard this access_token after retrieving this member’s information)