Gimme an Access Token

This page helps you to obtain an access token or IndieAuth, that you can use with home-made Micropub clients in IFTTT, Workflow and the like.
This page looks hacky on purpose, use at your own risk. Needs javascript, because it works on your own computer.
You can also save this HTML page to your own computer first, if that makes you feel safer. See the code or file an issue.
Step 1 fill out this form:


IndieAuth works with URLs to identify yourself online. What is the URL you want to use to identify with? Usually, this is the URL of your homepage.

Authorization Endpoint

What is your Authorization Endpoint? You can find this by looking for rel="authorization_endpoint" if you view the source of your homepage.

You can also use or XRay to find it for you, based on your me-URL. Look for the authorization_endpoint value, but also look for the token_endpoint while you're at it: you need it in step 2.

Client ID

The URL of the app you request a token for. This is more for administration purposes, but it's good to pick a sensible one. It is important that it's on http:// or https:// and it must have a path, so end in with a slash (/) if you only choose a domain.

Note: servers will try to fetch this URL to verify the redirect_uri (see below). will advertize the redirect_uri as shown below to them. If you pick another client_id, some servers might try to protect you and give a warning, because the redirect_uri is on a different domain than your client_id.


A space-separated list of things you would like to request permission for.


This field is set to a set of random characters. You can leave it as is. This parameter makes sure no-one sits between this page and the Authorization Endpoint. You can also pick your own random characters if that makes you feel safer.

More values

The following fields are also needed for your endpoint, but you can safely ignore them here: we're just showing them for transparency.

Response Type

Redirect URI

Clicking on the button will send the above fields to the specified Authorization Endpoint. There you can sign in and approve the new token. After the signing, you will be redirected to https://nonexisting-domain.invalid/redirect_uri, which does not exist. This is on purpose. See step 2.

Step 2 Getting the code

Redirected URL

On the other window, you will see an empty window for a non-existing page, on a url similar to this one: https://nonexisting-domain.invalid/redirect_uri?code=xxx&
... where 'xxx' is the code, which we need. You can paste the URL into this box and press the button, which will do some URL-parsing and URL-decoding for you. It will also verify the state.

Step 3 Getting the token


This field should have been filled in after you clicked the button above. You can leave it here.

Token Endpoint

This is the place where we will send your code to, so you can download the token. You can discover this the same way as you did with the Authorization Endpoint, but now looking for the token_endpoint rel value.

More values

These values come from step 1, and should have changed to what you filled in there. You can leave them as is.


Client ID

Grant Type

Redirect URI

After clicking on "Download token", another new window will open, this time with your new access token (and some other stuff). Depending on how your token endpoint is set up, your browser might attempt to download a file. You can just download it and open it with a text editor.

You will see something like this:

      "access_token": "XXXXXX",
      "token_type": "Bearer",
      "scope": "create update",
      "me": ""
Where 'xxx' is your access token. Have fun with it, but remember: that thing is your password. Use it wisely.

by Sebastiaan Andeweg | Source | Issues