Integration
This page covers the detailed implementation of BBaton Login. It explains the real API call flow step by step, from authorization code requests and redirect handling to token issuance and user information lookup.
01 Authorization code request
The authorization code request API calls the BBaton Login screen and requests an authorization code after user login. Depending on whether a BBaton login session already exists on the server, the user authentication steps may vary.
If there is no session, the account ID and password screen is shown first. If a session already exists, the authorization code can be issued immediately. Invalid parameters may result in an error screen such as “page not found.”
URL
GET /oauth/authorize?client_id={CLIENT_ID}&redirect_uri={REDIRECT_URI}&response_type=code&scope=read_profile&state={STATE}
Parameter
Description
Required
Notes
client_id
Client ID issued after API registration
Yes
Client identifier
redirect_uri
Preregistered Redirect URI
Yes
Must exactly match the registered app value
response_type
code
Yes
Authorization code flow
scope
read_profile
Yes
Default value
state
Client state value
Optional
Used to prevent CSRF
BrowserPopup
Request · 01COPY ↗
location.href = "https://bauth.bbaton.com/oauth/authorize?client_id={CLIENT_ID}&redirect_uri={REDIRECT_URI}&response_type=code&scope=read_profile&state={STATE}";
window.open(
"https://bauth.bbaton.com/oauth/authorize?client_id={CLIENT_ID}&redirect_uri={REDIRECT_URI}&response_type=code&scope=read_profile",
"bbaton",
"width=400, height=500"
);
02 Receive the authorization code at the redirect URL
The response to the authorization request is redirected to redirect_uri, where the Location contains either a query string with the authorization code or an error message. The client server should parse the request and either extract the code or display the appropriate error page.
On success, the code is returned in the form http://redirect_uri?code={CODE}.
Check
A common first-time implementation error is “This site can't be reached.” It usually happens when the transmitted
redirect_uri value does not match the value registered in the app settings. Make sure the registered value and the request parameter match exactly.
03 Request a token with the authorization code
After receiving the authorization code, call the token request API. User information can be requested only after the token has been issued. The default BBaton account session duration is 24 hours and does not reset after the first authentication.
URL
POST /oauth/token
Header/Body
Description
Value
Notes
Authorization
Basic authentication
Base64(client_id:secret_key)
Required
grant_type
Grant type
authorization_code
Required
redirect_uri
Preregistered URI
Must match the registered value
Required
code
Code received during redirect step
{CODE}
Required
Node.jsPython
Request · 02COPY ↗
// Redirect URI registered during API application: http://{REDIRECT_URI}?code={CODE}
const url = "https://bauth.bbaton.com/oauth/token";
const client_id = "client_id issued after API registration";
const secret_key = "secret_key issued after API registration";
const redirect_uri = "redirect_uri registered during API application";
const auth = "Basic " + Buffer.from(client_id + ":" + secret_key).toString("base64");
// grant_type: authorization_code
// redirect_uri: redirect_uri
// code: CODE
// Authorization: auth
04 Request user information with the token
Once token issuance is complete, user information can be requested from /v2/user/me. This step uses the header Authorization: {token_type} {access_token}, which should be composed according to your implementation language.
URL
GET /v2/user/me
GenericJava
Request · 03COPY ↗
// token_type and access_token received in step 3 const url = "https://bapi.bbaton.com/v2/user/me"; const auth = response.data.token_type + " " + response.data.access_token; // Header // Authorization: auth
Tip
Examples are provided for Node.js, Java, PHP, and Python. This page highlights representative snippets so you can quickly understand the essential request structure.