Step 3.2: Back-end

If your app has a back-end, we recommend using the OAuth 2.0 Authorization Code Grant which consists of the same steps as in Front-end flow for the user but the has an external step in the back-end.

This flow happens through 2 redirections:

  • First redirection brings user to SimpleLogin authorization page when user clicks on the button Connect with SimpleLogin

  • Second redirection brings user back to your app when user allows sharing their data with your app.

The first redirection url contains the following information:

  • your client_id

  • the second redirection url that user is redirected back at the second step.

  • response_type=code to indicate authorization code grant flow.

  • [Optional but highly recommended] a state to this url which will be returned back in the second redirection. This state can prevent the CSRF attack.

This url will look like the following. The line break is for visual purpose only. Please remove the line break in your code.

When user allows your app to have access to their data, SimpleLogin redirects user back to your app along with an code .This url will look like:


With the code, you can exchange for user access_token by calling SimpleLogin token endpoint:

curl -X POST \
--user {your-client-id}:{your-client-secret} \
-d "grant_type=authorization_code&code={code}" \

SimpleLogin server will return something like:

"access_token": "very long string",
"expires_in": 3600,
"scope": "profile",
"token_type": "bearer",
"user": {
"client": "Continental",
"email": "",
"email_verified": true,
"id": 1,
"name": "John Wick"

At this point, you can either use the user information returned at this step directly or use the access_token to call the userinfo endpoint:

curl -H "Authorization: {access_token}" \

In case your library supports OpenID Connect, user id_token can also be returned along with the code. The id_token is actually a JWT token containing user information such as user email, user name, etc you can therefore decode it to get user information instead of getting the access_token.

We have created examples on Flask, NodeJS and more examples are coming.