deviant art

Deviant Login
Buy Art Buy adCast Buy Premium Membership
Shop		  Join deviantART for FREE Take the Tour

Developers

Gaining OAuth 2.0 Credentials

In order to make API calls, you must first register your application (after logging in with your deviantART account)

After you've registered, you'll gain access to a pair of client_id and client_secret codes on the My Applications page.

These codes will enable you to authenticate users through your app and make API calls on their behalf.

An Important Note about Oauth 2.0 Drafts

Since available libraries support different drafts of the OAuth 2.0 specification, we've decided to support both draft 10 and draft 15 which are the most commonly used versions in current open-source OAuth 2.0 libraries.

The URL for each API call differs depending on which version of OAuth 2.0 you've authenticated the user with. Since the drafts are not interchangeable, a user authenticated through draft 10 can only call draft 10 endpoints, and likewise with draft 15.

For example, the /placebo API call uses these two endpoints:

https://www.deviantart.com/api/draft10/placebo
https://www.deviantart.com/api/draft15/placebo

You should call the first endpoint if you're using a draft 10 library, and the second endpoint if you're using a draft 15 library.

Beware of libraries that are only compatible with OAuth (not 2.0).
The OAuth 2.0 standard is not backwards compatible and we don't support the old version of the standard.

User Authorization

Before making API calls for a user, you must ask that user to authorize your application. First you should redirect the user to one of deviantART's authorization URLs along with the required query-string parameters below.

The correct URL to use depends on which Oauth 2.0 draft you've chosen:

https://www.deviantart.com/oauth2/draft10/authorize
https://www.deviantart.com/oauth2/draft15/authorize Required Parameters

These parameters must be sent as query-string GET fields.

  • response_type code
    Setting response_type to code is required. Doing so will include the authorization code in the response.
  • client_id Your app's client_id (obtained during app registration)
  • redirect_uri Your app's URI which the user should be redirected to after authorizing
Successful Response

A successful response means that the user will be redirected to your whitelisted URI along with the following GET parameter:

  • code A unique authorization code for a specific user
Unsuccessful Response

An unsuccessful response means that the user chose not to authorize your application.

  • error access_denied
  • error_description The user denied access to this application.
Notes

Note that the redirect_uri you provide must match one of the URIs in your registered application's whitelist. If you'd like to update this whitelist, click the corresponding [Edit] link for your application on the My Applications page. You'll find the whitelist options in the Publishing Options dropdown.

Access Tokens

Once the user has authorized your application, they will be redirected to the redirect_uri you've provided along with an extra code parameter. Use this code to make your first API call - a token request:

https://www.deviantart.com/oauth2/draft10/token
https://www.deviantart.com/oauth2/draft15/token Required Parameters

These parameters may be sent via GET or POST

  • client_id Your app's client_id (obtained during app registration)
  • client_secret Your app's client_secret (obtained during app registration)
  • grant_type authorization_code or refresh_token
    authorization_code is the default grant_type and is used to obtain a brand new token.
    Since tokens have an expiration, refresh_token is used to obtain subsequent tokens.
    It's advised to use authorization_code to get your first access_token, and then refresh_token to get all subsequent tokens. You can obtain a new token via refresh_token at any time, regardless of expiration.
  • code The code query-string parameter obtained by the authorization redirect
    This is only required if grant_type is set to authorization_code
  • refresh_token The refresh_token obtained by a previous /token call.
    This is used to generate new tokens afer using grant_type of authorization_code to obtain your first token.
    It must match the refresh_token field obtained by the most recent call to /token.
    It is only required if grant_type is set to refresh_token.
Successful Response

A successful token call will return a JSON-encoded token that you can then use to make API calls.

{
  "expires_in": 3600,
  "status": "success",
  "access_token": "Alph4num3r1ct0k3nv4lu3",
  "refresh_token": "0123456789"
}
Unsuccessful Response

An unsuccessful response will return an HTTP 400 - Bad Request or an HTTP 401 - Unauthorized, optionally with one of the following JSON responses:

{
  "status": "error",
  "error": "access_denied",
  "error_description": "Access to this oAuth2 resource is denied, invalid client_secret."
}
{
  "status": "error",
  "error": "unsupported_grant_type",
  "error_description": "Only authorization_code and refresh_token are supported for access grant."
}
{
  "status": "error",
  "error": "invalid_code",
  "error_description": "Access code must be numeric"
}
{
  "status": "error",
  "error": "invalid_grant",
  "error_description": "Invalid access code."
}
{
  "status": "error",
  "error": "invalid_request",
  "error_description": "refresh_token must be specified"
}
{
  "status": "error",
  "error": "invalid_grant",
  "error_description": "Invalid refresh token."
}

Placebo Call

The first and most basic authenticated API call. It checks that a given access_token is still valid. The endpoints are:

https://www.deviantart.com/api/draft10/placebo
https://www.deviantart.com/api/draft15/placebo Required Parameters

These parameters may be sent via GET or POST

  • access_token The token obtained by a call to /token
Successful Response

If the token is valid, it will return the following JSON:

{
  status: "success"
}
Failed Response

If the token has expired, it will return the following JSON:

{
  "status": "error",
  "error": "expired_token"
}
Notes

This call is most useful for checking that an access_token is still valid before making another API call that might take a long time (like a file upload). This way, if a token has expired, your users won't have to wait until the upload (or any other long-running API call) returns an error before your app notices and makes a /token call to refresh the expired token.

©2013 deviantART. All rights reserved
About Us | Contact Us | Developers | Careers | Site Tour | Help & FAQ Advertise | Premium Membership Etiquette | Privacy Policy | Terms of Service | Copyright Policy