How to retrieve a profile access token?

Not the “basic” access token, I’m talking about the one used for the Account Profile API endpoints. Those require the user to log in to, but I’m a bit lost about how I’m supposed to do that as I’m not building a website, but a standalone app with Unity.

You need to get an authorization code first, then you can ask for the access token using that authorization code.

Here’s a fast exemple:

Call the authorization URL

{REGION}.battle. net/oauth/authorize?client_id={CLIENT_ID}&redirect_uri={REDIRECT_URI}&response_type={CODE}&scope={SCOPES}


  • {REGION} is the region of the account (us, eu, kr, tw)
  • {CLIENT_ID} is your client id
  • {REDIRECT_URI} is the url you will use to get the authorization code back
  • {CODE} must be “code”
  • {SCOPES} is the scopes you want to use (wow.profile or sc2.profile)

Once the user logs in you will be redirected to your redirect url with the authorization code appended to the end

exemple: myurl. com/oauthtest?code=random_numbers_and_letters

If it’s a mobile application, you need to set that when you go on that url, you are redirected to your app activity

Then you will want to make a POST request to the /oath/token endpoint using that url:
{REGION}.battle. net/oauth/token
You want to use a form data since it’s a POST request with

  • client ID and client secret as authentication
  • from data with
    • {grant_type} = authorization code
    • {redirect_uri} = redirect uri
    • {code} = the authorization code you just got

Once that’s done you should receive a response containing the access_token, token_type, expires_in, scope and refresh_token.

1 Like

That here is the problem. I’m building a standalone app without a supporting website or whatever, so I don’t know what I’m supposed to put here. A random URL ? Nothing ?

I used a github page for mine, create a new repo, put in a index.html and convert the repo to a page in the settings.

Havn’t had a problem so far and it’s free.

If you are talking about a mobile app you may need to create a custom URL schema:

Thanks, I’ll see what I can do with that.

Desktop app. Still, that seems like a nice solution, so I’ll definitely have a look.

Could you go into a little more detail on how you made this work for you, please?

Hoping it is ok to “revive” an old thread, otherwise I can make another post.
I am trying to understand how an Android app can Oauth-entify with the API.
I searched for custom URL schema as you mentioned but as the API is expecting http/https schema, I do not see how it be configured?
Other option it seems would be to use “app link” but what I understand is that it would require editing battlenet server side.
Does that mean it is impossible to authentify with a simple mobile app? Schiller, your message seem to say otherwise, could you please clarify a bit?
Thanks a lot!

There is no secure way at the moment to use the API with an Android app. Also the API doesn’t support callbacks to native mobile apps.

Schiller wrote a nice proxy which you can deploy on heroku for free that will let you do calls to the API without having to implement the OAuth logic in your app and will keep your secret and access tokens secure:

Thanks a lot for the reply and for the proxy suggestion. I’ll have a look at it :slight_smile:


I think I am missing something on how this proxy should be used.
I understand how the proxy is working once logged in. But here I am focusing on the authentication part (not using the game data API) and I don’t see how I should to log in.

There is only a GET /oauth/token endpoint that retrieves the access token. From my understanding, this endpoint requires the authorization code that must be retrieved using the GET /oauth/authorize API endpoint.
I could make this /oauth/authorize call from my app and give the proxy server as the redirected url, but I still don’t see how I would get back to the app from the browser.

Could you please explain the login flow expected to use this proxy?
Thank you!

The actual authentication part of the OAuth2 flow is always done by Blizzard servers (login form). Your app should redirect the user to /oauth/authorize however the redirect url must point it back to your app’s url (using a custom URL scheme).
As long as you have your app responding to such URL locally on the mobile device the flow is almost the same as any web app.

The proxy is used because you can’t handle the /oauth/token endpoint without shipping your client secret within the app and that is a security risk and term of service violation.

Expected flow is:

  1. User opens your app
  2. You redirect the user to a web page with a valid OAuth2 link including the redirect url (custom URL schema)
  3. User sign in with their credentials (username and password + mobile authentication code if needed) all handled by Blizzard secure servers.
  4. The web page is redirected back to your app’s url
  5. Your app receives the authorization_code sent back from Blizzard
  6. You request your back-end server (can be the proxy or your own server)
  7. Your back-end server requests /oauth/token (POST request described in the API docs) and exchange that code for an actual access_token *
  8. With the returned token you can now fetch data from the API

Thank you Schiller for the clarification and detailed flow, this is now clear for me.
Only issue I have is related to the custom URL schema as the redirected url (I can’t make the step 4. you described work)

As you know the redirected url must start with http(s). Therefore I understand that the custom schema has to be http(s). So I defined at level the redirected URL of the form “h ttp://”. Can you confirm this kind of redirected url is correct?

As the scheme is http I am not sure it is possible for my app to “respond to such URL locally”. When I test it, I am sent to the redirected url in the browser (to an unwanted website). I have to manually force to open the url with the app to make it work.

This is why I was wondering if “custom scheme” was sufficient. Android app link (http s:// looks like the solution but not possible as it requires actions on Blizzard server.

Do you know by any chance if I am missing something? Or in case you have an example of mobile app implementing this I’d be glad to look at it.
If needed, I can provide the few lines of code I use to handle the custom schema.
I might be out of scope here as it is related to Android implementation.

Thanks for the support!

Unfortunately I don’t know exactly how people are doing this in android. URL schemas should be the preferred way but Blizzard for some reason don’t allow them.

I’m guessing android has a lib of some kind to deal with this or there is a way to reserve some http(s) schemas for an app.

I can think of some workarounds using the back-end to create a redirection to a custom schema, but I guess there is a simpler way since people do have apps published despite the API limitations.

My knowledge on mobile apps is limited, I’m mostly a back-end/microservices developer.

All right, I’ll make more research with your ideas
Thank you for your help! :slight_smile:

You might wanna try asking around in the API discord.

One way to do it in native android is to have an external address for the callback url (github page for example), open the login/oauth flow in a webview and when you hit the callback url in the webview, extract the authorization code from the url and close/hide the webiew.

From there you use the oauth/token endpoint from the proxy to get the access token.

Edit: You’ll need to enable javascript for the webview.