Early on, we knew it would be important to have an authentication system so that users can "sign in with Money Button" in third party apps. The top reason for this is so that the user can make a purchase with Money Button on a website, and then come back some time later, and the website can remember what they purchased. There are many other reasons to have an auth system, such as user-to-user payment inside of an app. For instance, every feature of Yours.org works with Money Button.
OAuth is a standard way to create authentication systems and is used by major tech companies like Google and Facebook. The basic idea is that a user presses a button to "sign in with Money Button" and is then directed to a popup if the user would like to share permissions with the app. The app can ask for multiple permissions, and if the user agrees, those permissions are granted to the app. The permissions include the user's ID at a minimum, and may include other permissions such as a list of their UTXOs. If the user doesn't want to grant permissions, they simply click "no".
Apps can authenticate on Money Button API using standard OAuth 2. The following document describes the details of our implementation.
The idea using OAuth is to identify the consumer of the API using access tokens generated by the OAuth server. Depending on how the token is created the consumer gets differents levels of permissions.
The first step to use our OAuth system is register an app in Money Button. You can do that here: https://www.moneybutton.com/settings/apps/create
Once you create your app, you'll see that Money Button automatically generated the data needed to use authenticate using that app:
Client secret: Those attributes are used to athenticated as your app. You can do this to query information related to your app.
Oauth Identifier: You can use this identifier grant flow. This flows allows a user to give permission to your app to access certain resources.
OAuth redirect URL: Used at the end of the permission grant flow. It's where the access token will be sended.
There is basically 2 different ways to get access to Money Button resources: Login in with user permissions and logging in with app permissions. Both flows will explained in detail in the next sections.