We use cookies to offer an improved online experience and offer you content and services adapted to your interests.
By using Dailymotion, you are giving your consent to our cookies.
</Developer>

Authentication

Introduction

Dailymotion’s API use the OAuth 2.0 protocol for authentication and authorization. A number of flows are supported, so you can authenticate users in Web applications via redirects, in Javascript or in desktop and mobile applications.

When a Dailymotion user authorizes your application, your application gets access to the user’s Dailymotion account. By default, your application can only access the user’s public data. If your application needs to read private data or change user’s associated data, your application can request a larger permission scope. See Requesting Extended Permissions.

During the authentication process, the user is presented with an UI in which the user can authorize your application to access his profile with the requested permission scope. The user has the option to remove some requested permissions, so your application must be to be able to deal with this use case.

Client Profiles

At a high level, using OAuth 2.0 entails getting an access token for a Dailymotion user via a redirect to Dailymotion. After you obtain the access token for a user, you can perform authorized requests on behalf of the user by including the access token in your API requests:

https://api.dailymotion.com/videos?access_token=<ACCESS_TOKEN>

You can also provide the access token using an Authorization HTTP header (recommended):

GET /json HTTP/1.1
Host: api.dailymotion.com
Authorization: OAuth <ACCESS_TOKEN>

Web Server

The web server profile is suitable for clients capable of interacting with the end-user’s user-agent (typically a web browser) and capable of receiving incoming requests from the authorization server (capable of acting as an HTTP server).

The steps to obtain an access token are:

  1. Register your application to get an API key and secret. Your API key is your client_id and you API secret is your client_secret.

  2. Redirect the user to https://api.dailymotion.com/oauth/authorize with your client_id and the URL the user should be redirected back to after the authorization process (redirect_uri) [1] (line breaks are for display purposes only):

    https://api.dailymotion.com/oauth/authorize?
        response_type=code&
        client_id=<YOUR_API_KEY>&
        redirect_uri=http://www.example.com/oauth_redirect

    If your redirect_uri has to be dynamic, you can use a slug part this way:

    http://www.example.com/oauth_redirect/[dynamic_part]

    This way, you can provide any callback URL that respects this format, for example:

    http://www.example.com/oauth_redirect/app_98123
    http://www.example.com/oauth_redirect/video-uploader-455
  3. If the user authorizes your application, Dailymotion redirect the user back to the redirect URI you specified with a verification string the code argument. This code can then be exchanged for an OAuth access token by POSTing to https://api.dailymotion.com/oauth/token. Pass the exact same redirect_uri as in the previous step (line breaks are for display purposes only):

    POST /oauth/token HTTP/1.1
    Host: api.dailymotion.com
    Content-Type: application/x-www-form-urlencoded
    
    grant_type=authorization_code&
    client_id=<YOUR_API_KEY>&
    client_secret=<YOUR_API_SECRET>&
    redirect_uri=http://www.example.com/oauth_redirect&
    code=<CODE>

    In response, you will get the following json response:

    {
      "access_token": "<ACCESS_TOKEN>",
      "expires_in": 36000,
      "refresh_token": "<REFRESH_TOKEN>"
    }
    
  4. Use the access token returned by the request above to make requests on behalf of the user:

    https://api.dailymotion.com/videos?access_token=<ACCESS_TOKEN>

Note

If the user does not authorize your application, Dailymotion redirects the user to the redirect URI you specified, and adds the error and error_description parameters to the query component.

Note

The access token is valid for a number of seconds defined by the expires_in of the token server response. You can use the obtained refresh token to request another access token without the need to ask the user again. See Requesting Access token from a Refresh Token for more details.

User-Agent

The user-agent profile is suitable for client application residing in a user-agent, typically implemented in a browser using a scripting langage such as JavaScript. There clients cannot keep client secrets confidential and the authentication of the client is based on the user-agent’s same-origin policy.

Unlike the Web Server profile in which the client makes separate requests for end-user authorization and access token, the client receive the access token as a result of the end-user authorization request in the form of an HTTP redirection. The client requests the authorization server to redirect the user-agent to another web server or local resource accessible to the user-agent which is capable of extracting the access token from the response and passing it to the client.

This user-agent profile does not utilize the client secret since the client executables reside on the end-user’s computer or device which makes the client secret accessible and exploitable. Because the access token is encoded into the redirection URI, it may be exposed to the end-user and other applications residing on the computer or device.

The steps to obtain an access token are:

  1. Register your application to get an API key (the secret won’t be used with this profile). Your API key is your client_id.

  2. Redirect the user to https://api.dailymotion.com/oauth/authorize with your client_id and the redirect URI. Set the response_type to token. If you application is popping up a window, you can trigger the compat popup version of the authorization dialog by setting display to popup. For example (line breaks are for display purposes only):

    https://api.dailymotion.com/oauth/authorize?
        response_type=token&
        client_id=<YOUR_API_KEY>&
        redirect_uri=http://www.example.com/callback&
        display=popup
  3. After the user authorizes your application, Dailymotion redirects the user to the redirect URI you specified with the access token in the URI fragment:

    http://www.example.com/callback#access_token=<ACCESS_TOKEN>&expires_in=<EXPIRES_IN_SECONDS>
  4. Use the access token returned by the request above to fetch data from the Dailymotion API on behalf of the user. You can use JSONP callbacks with the jsonp argument:

    https://api.dailymotion.com/videos/uploaded?access_token=<ACCESS_TOKEN>&jsonp=myCallback

Note

If the user does not authorize your application, Dailymotion redirects the user to the redirect URI you specified, and adds the error and error_description parameters to the URI fragment.

Native Application

Native application are clients running as native code on the end-user’s computer or device (i.e. executing outside a user-agent or asa desktop program). These clients are often capable of interacting with (or embedding) the end-user’s user-agent but are limited in how such interaction affects their end-user experience. In many cases, native applications are incapable of receiving direct callback requests from the server (e.g. firewall, operating system restrictions).

Native application clients can be implemented in different ways based on their requirements and desired end-user experience. Native application clients can:

  • Utilize the end-user authorization endpoint as described in the User-Agent section by launching an external user-agent. The client can capture the response by providing a redirection URI with a custom URI scheme (registered with the operating system to invoke the client application), or by providing a redirection URI pointing to a server-hosted resource under the client’s control which makes the response available to the client (e.g. using the window title or other locations accessible from outside the user-agent).
  • Utilize the end-user authorization endpoint as described in the User-Agent section by using an embedded user-agent. The client obtains the response by directly communicating with the embedded user-agent.
  • Prompt the end-user for their password credentials and use them directly to obtain an access token. This is discouraged as user will have to communicate her credentials directly your application. Additionally, users who created their account using their Facebook account won’t be able to login into your application using this authentication method. If you have no other choice but to use this method, you are not allowed to store the obtained credentials.

The steps to obtain an access token using end-user password credentials are:

  1. Register your application to get an API key and secret. Your API key is your client_id and you API secret is your client_secret.

  2. Ask the end-user her credentials which consist of a username and a password.

  3. Gather an OAuth access token by POSTing to https://api.dailymotion.com/oauth/token. Set the grant_type to password and pass your client_id and client_password with the user credentials (line breaks are for display purposes only):

    POST /oauth/token HTTP/1.1
    Host: api.dailymotion.com
    Content-Type: application/x-www-form-urlencoded
    
    grant_type=password&
    client_id=<YOUR_API_KEY>&
    client_secret=<YOUR_API_SECRET>&
    username=<END_USER_USERNAME>&
    password=<END_USER_PASSWORD>

    In response, you will get the following json response:

    {
      "access_token": "<ACCESS_TOKEN>",
      "expires_in": 36000,
      "refresh_token": "<REFRESH_TOKEN>"
    }
    
  4. Use the access token returned by the request above to make requests on behalf of the user:

    https://api.dailymotion.com/videos?access_token=<ACCESS_TOKEN>

Note

The access token is valid for a number of seconds defined by the expires_in of the token server response. You can use the obtained refresh token to request another access token without the need to ask the user again. See Requesting Access token from a Refresh Token for more details.

Requesting Access token from a Refresh Token

Some authorization method provides you with a refresh token in addition to the access token. The access token validity is always limited in time. The access token validity is indicated by the expires_in key of the token server response or by a 401 HTTP status code error when used with the API (see OAuth 2.0 protocol for more details).

Once access token expired, if you are in possession of a refresh token, you can request another access token without the need to ask the end-user again and again. To do that, send the following request to the token server at https://api.dailymotion.com/oauth/token:

POST /oauth/token HTTP/1.1
Host: api.dailymotion.com
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&
client_id=<YOUR_API_KEY>&
client_secret=<YOUR_API_SECRET>&
refresh_token=<REFRESH_TOKEN>

In response you will get the following JSON object:

{
  "access_token": "<ACCESS_TOKEN>",
  "expires_in": 36000,
  "refresh_token": "<REFRESH_TOKEN>"
}

In case of error, the JSON object will contain an error and error_description key. See OAuth 2.0 protocol for more details.

Requesting Extended Permissions

In the examples, the OAuth process will authenticate your application with the Dailymotion’s user, which will allows you to fetch general information about the user’s profile via the Dailymotion APIs. As mentioned above, if you need to fetch private data associated to the user or you want to request permission to publish content on a user’s behalf, you will need to request extended permission scope.

To request permissions via OAuth 2.0, use the scope argument in your authorization request, and include whitespace separated list of all the permissions you want to request. For example this authorization request asks for read/write access:

https://api.dailymotion.com/oauth/authorize?
    response_type=code&
    client_id=<YOUR_API_KEY>&
    redirect_uri=http://www.example.com/callback&
    scope=read+write

Here are the list of permissions:

  • email – Provides access to the user’s primary email address in the email property. Do not spam users.
  • userinfo – Provides read/write access to some user’s personal information like fullname and birthday
  • manage_videos – Allows to modify or delete user’s uploaded videos and to publish new ones (replaces write and delete deperecated permission)
  • manage_comments – Provides the ability to publish comments on videos on behalf of the user
  • manage_playlists – Allows to create/edit/delete playlists
  • manage_tiles – Allows to read/write user’s saved tiles
  • manage_subscriptions – Allows to manage user’s subscriptions
  • manage_friends – Allows to manage user’s friends
  • manage_favorites – Allows to add/remove videos to user’s favorites
  • manage_groups – Allows to manage user’s groups

Revoking Authorization

Your application should always allow users to revoke authorization granted to your API key. The user can also revoke your application from his settings, but it’s far less user-friendly than having a “Logout from Dailymotion” button in your interface.

To revoke authorization, perform an HTTP GET to the /logout URI with the access_token parameter (or header). Once done, your current session (access_token and/or refresh_token) are no longer valid, you must then forget them in your application.

Dialog Form Factors

Dailymotion supports a non-standard display parameter to trigger different form factors for the authorization dialog that may be more appropriate for your application:

  • page – Display a full-page authorization screen (the default)
  • popup – Display a compact dialog optimized for web popup windows
  • mobile – Display an iPhone/Android/smartphone-optimized version of the dialog

Note

If you defines page or popup from a known mobile device, the mobile display will be adopted automatically.

For example, to trigger the dialog in a popup window, you would redirect the user to:

https://api.dailymotion.com/oauth/authorize?
    response_type=code&
    client_id=<YOUR_API_KEY>&
    redirect_uri=http://www.example.com/callback&
    display=popup

Footnotes

[1]For security reason, only redirect_uri starting with the Callback URL provided when you created you API key will be accepted.