joplin/readme/dev/spec/clipper_auth.md

# Clipper authorisation mechanism

In order to access the clipper API, the client must use a token, which is a random string generated by the application.

There are two ways for applications to obtain this token:

## Get it from the user

The user can copy the token in the Clipper configuration page and provide it directly to the application. This is the simplest method.

## Request it programmatically

The token can also be requested programmatically, as is done for the web clipper extension. It works as below:

- The client calls `POST /auth`. The server responds with `{ auth_token: "AUTH_TOKEN" }`. This `auth_token` is different from the regular token - it is just used to authenticate the client.

- The application displays a message asking the user to Accept or Reject the access request.

- The clients calls `GET /auth/check?auth_token=AUTH_TOKEN` at regular intervals. Initially the server responds with `{ status: "waiting" }`, since we are waiting for the user to confirm or reject.

- Once the user accepts the request in the application, the server returns `{ status: "accepted", token: "API_TOKEN" }`.

- The client can now use this `API_TOKEN` to make requests.

- If the users rejects the request, the server returns `{ status: "rejected" }`, and the client can display an error message.
Desktop, Clipper: Web Clipper now must request authorisation before accessing the application data 2021-06-22 20:57:04 +02:00			`# Clipper authorisation mechanism`

			`In order to access the clipper API, the client must use a token, which is a random string generated by the application.`

			`There are two ways for applications to obtain this token:`

			`## Get it from the user`

			`The user can copy the token in the Clipper configuration page and provide it directly to the application. This is the simplest method.`

			`## Request it programmatically`

			`The token can also be requested programmatically, as is done for the web clipper extension. It works as below:`

Doc: Fixing typos (#5644) 2021-10-30 11:45:02 +02:00			- The client calls `POST /auth`. The server responds with `{ auth_token: "AUTH_TOKEN" }`. This `auth_token` is different from the regular token - it is just used to authenticate the client.
Desktop, Clipper: Web Clipper now must request authorisation before accessing the application data 2021-06-22 20:57:04 +02:00
			`- The application displays a message asking the user to Accept or Reject the access request.`

			- The clients calls `GET /auth/check?auth_token=AUTH_TOKEN` at regular intervals. Initially the server responds with `{ status: "waiting" }`, since we are waiting for the user to confirm or reject.

			- Once the user accepts the request in the application, the server returns `{ status: "accepted", token: "API_TOKEN" }`.

			- The client can now use this `API_TOKEN` to make requests.

			- If the users rejects the request, the server returns `{ status: "rejected" }`, and the client can display an error message.