Client-Side Web Applications - Implicit Grant

In order to access our API from client-side web applications, such as a Single Page Application, you’ll need to implement the Implicit Grant OAuth2 flow.

This authorization flow is a one-step process:

  • Request an access token

1. Authorize the user

Redirect the user to the /authorize endpoint. The user will authenticate and grant your application access for the requested scopes

Request Parameters

audienceThe API you are requesting access for (API Base URL)
scopeThe scopes that you want to request authorization for. Each scope must be separated by a space.
client_idYour application’s Client ID (provided by Aventus when you registered your application)
redirect_uriThe redirect_uri of your application, where authentication responses will be sent to.

The redirect uri must exactly match one of the callback URLs provided when registering your application
nonceA string token which will be included in the ID token response, this is used to prevent token replay attacks
stateA randomly generated unique value included in the request that is also returned in the token response, this is used to prevent cross-site request forgery attacks.


At this point, the user is asked to enter their credentials and consent to the scopes requested by your application. After the user has granted consent to your application, Aventus sends a response to the redirect_uri with the access_token in the hash fragment.

access_tokenThe requested access token as a signed JSON Web Token (JWT). Your application can use this token to access the Aventus Platform API.
stateThe state parameter sent in the response should be the same value sent in the request. It is good practice to verify that the state values in the request and response are identical.
token_typeIndicates the token type. The only token type supported by the Aventus Platform is Bearer
expires_inHow long the access token is valid (in seconds)