Implicit Flow

Last Updated:

We recommend the implicit flow method for controlling access between your Single-Page Application (SPA) and a resource server. Below are details how SPA works:

  1. Your application navigates the browser to the Fortellis Log In page to authenticate the user.
  2. Fortellis redirects the browser back to your redirect URI with access and ID tokens as a hash fragment in the URI.
  3. Your application extracts the tokens from the URI.
  4. Your application uses these tokens to call the resource server for the user.

Using the Implicit Flow

This flow is very similar to the authorization code flow except that the response_type is a token and/or id_token instead of code. Your browser requests access to your authorization server’s authorize endpoint. See the example below:{your_client_id}

The parameters passed in the implicit flow authentication are in the following table:

Parameter Description
client_id Matches the API key for your solution.
response_type The token being passed. It can also be the id_token or both.
scope The required openid. Additional scopes can be requested.
redirect_uri The callback location where the user-agent will be directed to along with the access_token. This must match the Callback URL you specified when you registered your solution.
state The arbitrary alphanumeric string the authorization server will reproduce when redirecting the user-agent back to the client. This is used to help prevent cross-site request forgery.

Read more about OAuth 2.0.


If the user doesn't have an existing session, the Fortellis Log In page will open. If they do have an existing session, or after they authenticate, they will arrive at the specified redirect_uri along with a token as a hash fragment. See the example below:


Your application then extracts the token(s) from the URI and stores them.