OAuth Authorization Code Flow with PKCE

Configure the Client

UserVoice follows the OAuth2 specification for authenticating access to its APIs. For public clients, such as a Native App, it is highly recommended to authenticate using the Authorization Code Grant flow with PKCE.

To configure your application to use the UserVoice Idea Collection API please follow the steps below:

  1. From Admin Settings > Integrations, create a new API Key to be used by your app:

    Add API Key

  2. Give your API Key a name and specify your Redirect URI (where your client Auth resides) as the Callback URL:

    Configure API Key

    NOTE: Read more about Redirect URIs for Native Apps in OAuth 2.0 for Native Apps (Page 8). NOTE: It is not necessary to select the “Trusted?” option for clients using the /end_users/ API. If you do, do not expose your key.

  3. From your application, request an Authorization Code using the API key created above:

    NOTE: The code_verifier and code_challenge_method params are optional. UserVoice only currently supports S256 as the code_challenge_method. Learn more about PKCE.

  4. The GET request above returns a redirect to a UserVoice Sign In page. Once the user successfully authenticates, they will be directed back to the Redirect URI with a query parameter containing the authorization code:


    Example Redirect:

  5. With the acquired Authorization Code, submit a POST request to obtain a bearer token:

    Example Response:
    { "access_token": "<YOUR_TOKEN>" }

  6. Include this token in the Authorization header of every API request:
    Authorization: Bearer <YOUR_TOKEN>


Didn’t find what you’re looking for?

Check out the UserVoice Help Center for more documentation.

Explore the Help Center