Client Side Authorization Flow

Client side authentication and authorization flow is very similar to the server side flow. The difference is in the parameters passed to the server and in the response fields that you get back.

Authentication & Authorization

To enter the authentication/authorization client-side flow, you must pass the following parameters to the authorization URL:

Oauth URL


Name Description Required
client_id Application key generated during the app registration. true
redirect_uri URL that the user's browser will be redirected back to once the application authorization is completed. You can specify this URL in your application settings as a Callback URL, or pass it as a request paremeter. The redirect_uri must be within the same domain as the Site Domain you specified in the application settings. true
response_type For the client side flow the response type is defaulted to "token" and you don't need to pass it as a parameter. true
scope A comma delimited list of permissions that the application needs. By default the scope is set to a full data access.This is subject to change in the upcoming releases. false
display For the client side flow the display parameter is defaulted to "web". false


If the user is already logged in, we validate the login cookie that we have stored on the user's browser and authenticate the user.If the user is not logged in, they are prompted to enter their credentials:

Once we have successfully authenticated the user, we will prompt the user to authorize your application:

If the user presses Don't Allow, your app is not authorized.The user will be redirected (via HTTP 302) to the URL you passed in the redirect_uri parameter with the following error information:

Returned Fields

Name Type Description
status String If user cancels the authorization flow, the status will be set to "unauthorized".
message String Error message



If the user presses Allow, your app is authorized.The user will be redirected (via HTTP 302) to the URL you passed in the redirect_uri parameter with an authorization code:

Returned Fields

Name Type Description
access_token String Access token to be used with every API request
expires_in Number Seconds until the token will expire



Cross Domain API Calls

Geni Platform supports cross-domain API calls using JSONP framework. Below is a simple example for Geni JSONP API call. You must provide a valid access token in order to make an JSONP API call.


var Geni = {callbacks:{}, client_id:"YOUR_APP_KEY", access_token:""};

function jsonp(url, params, callback) {
  var script  = document.createElement('script');
  var g_uuid = 'g' + (((1+Math.random())*0x10000)|0).toString(16).substring(1);
  params = params || {};  
  params['callback'] = 'Geni.callbacks.' + g_uuid;
  var query = [];
  for(var p in params) str.push(encodeURIComponent(p) + "=" + encodeURIComponent(params[p]));
  query = query.join("&");
  url = url + (url.indexOf('?')>-1 ? '&' : '?') + query;

  Geni.callbacks[g_uuid] = function(data) {
    if(callback) callback(data);
    delete Geni.callbacks[g_uuid];
  script.src = url;

// Parse access token from the URL if it is available
if (Geni.access_token == "") {
  var params = {};

  var anchor = window.location.href.split("#");
	if (anchor.length > 1) {
	  var parts = anchor[1].split("&"); 
	  for (var i=0; i < parts.length; i++) {
		  var values = parts[i].split("=");
		  params[values[0]] = values[1]; 

  // Add code to store/retrieve access token from a cookie
	Geni.access_token = params["access_token"];
if (Geni.access_token == "") {
  window.location = "" + Geni.client_id + "&redirect_uri=" 
	                  + window.location.href + "&response_type=token";
} else {	
  // Get profile data
	jsonp("/profile", {access_token:Geni.access_token}, function(data) {
	  alert("Hello " + data["name"]);

Geni JavaScript Client SDK

Geni Platform comes with a full featured JavaScript library that allows you to build dynamic web applications in the browser with Geni's data. It supports authentication, autherization and API calls to get the site data.