OAuth 2.0 is the industry-standard protocol for delegated API authorization. Xolo implements three grant types natively — Authorization Code with PKCE, Client Credentials, and Password Grant — directly inside the mobile client, without relying on any external proxy or desktop helper. Token acquisition, PKCE challenge generation, and automatic token refresh are all handled on-device byDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/JonathanHerSa/xolo-api-hub/llms.txt
Use this file to discover all available pages before exploring further.
OAuth2Service.
Grant Types
Authorization Code + PKCE
Authorization Code + PKCE
Client Credentials
Client Credentials
The Client Credentials grant is designed for machine-to-machine (M2M) communication where no user interaction is needed. It authenticates the application itself rather than a specific user.Xolo POSTs directly to the token endpoint with
grant_type=client_credentials. No browser is opened and no user interaction is required.Required fields:| Field | Description |
|---|---|
tokenUrl | Token endpoint URL |
clientId | The OAuth client identifier |
clientSecret | The client secret |
scope | (Optional) Space-separated list of requested scopes |
Password Grant
Password Grant
The Password Grant (Resource Owner Password Credentials) passes a user’s
username and password directly to the token endpoint. It is suitable for trusted first-party clients where the Authorization Code flow is impractical.Xolo sends grant_type=password along with the user credentials and client credentials in a single application/x-www-form-urlencoded POST.Required fields:| Field | Description |
|---|---|
tokenUrl | Token endpoint URL |
clientId | The OAuth client identifier |
clientSecret | The client secret |
username | The resource owner’s username |
password | The resource owner’s password |
scope | (Optional) Space-separated list of requested scopes |
Token Refresh
When a stored OAuth 2.0 access token approaches expiry,OAuth2Service.maybeRefreshOAuth2AuthData() checks whether a refresh is needed and performs it automatically. Refresh is triggered when the token’s expiresAt timestamp is within 60 seconds of the current time.
To refresh a token manually, call refreshAccessToken() directly:
grant_type=refresh_token along with the client credentials to the token endpoint. If the response includes a new refresh_token, Xolo replaces the stored one. If expires_in is present, a new expiresAt timestamp is computed and persisted. The updated auth data is stored back through AuthSecretService, keeping all credentials in flutter_secure_storage.
Automatic refresh applies only to the authorization_code grant type (i.e. tokens that originally came from an interactive browser flow).
OAuth2Service.getAccessToken() Reference
application/x-www-form-urlencoded POST to tokenUrl. On a 200 response it returns the raw access_token string. Any non-200 status code or network error throws an Exception.
Parameters:
The full URL of the OAuth 2.0 token endpoint.
The client identifier issued by the authorization server.
The client secret issued by the authorization server. Pass an empty string for public clients.
One of
client_credentials, password, or authorization_code. Defaults to client_credentials when omitted.Resource owner username. Only included in the request body when
grantType is password.Resource owner password. Only included in the request body when
grantType is password.Space-separated list of requested scopes. Omitted from the request body when empty or
null.The authorization code received from the redirect. Only included when
grantType is authorization_code.The redirect URI that was registered and used in the authorization request. Only included when
grantType is authorization_code.The PKCE code verifier. Only included when
grantType is authorization_code. Xolo generates this automatically when using authorizeAndGetToken().PKCE Flow Step-by-Step
Generate PKCE Parameters
Xolo generates a cryptographically random A random
codeVerifier (64 URL-safe characters) using Random.secure(). It then computes the codeChallenge by hashing the verifier with SHA-256 and encoding the result as base64url (with padding stripped):state value (32 characters) is also generated to protect against CSRF.Start Local Redirect Server
Xolo binds an ephemeral
HttpServer to 127.0.0.1 on a random port between 49152 and 59151. This server listens for the single incoming redirect from the identity provider.Open Authorization URL in Browser
The authorization URL is constructed with
response_type=code, code_challenge_method=S256, and the generated codeChallenge. Xolo opens this URL in the device’s default browser using url_launcher.User Authenticates
The user completes the login and consent flow in the browser. The identity provider redirects the browser to
http://localhost:<port>?code=<auth-code>&state=<state>.Capture Code and Exchange for Tokens
The local server captures the redirect request, validates the
state parameter, and responds with a success page so the browser can be closed. Xolo then calls getAccessToken() with grant_type=authorization_code, passing the code, redirectUri, and codeVerifier. The identity provider verifies the PKCE challenge and returns the access token (and optionally a refresh token). The local server is closed immediately after.