HomeWriters RSS

oAuth Authentication with Instagram


oAuth is built as an authentication tool whereby a user doesn't have to give a site their password. It requires the transfer of various tokens between a site & the oAuth based site, which gives the user a specific access token. This token can be revoked at any time by the user if they so wish, meaning if an application is acting maliciously you can deactivate its access.

Many big sites use oAuth such as Twitter, Facebook and Instagram - we'll be using the Instagram API as a demonstration for how to deal with oAuth - you might benefit from keeping an eye on the Instagram Developer Docs.

Register your application

The first thing to do is register your application on Instagram, when you've done that you'll be given a Client ID and a Client Secret, you should keep a note of these as you'll need them later in the authentication process.

The oAuth Process

There are a few steps involved in the authentication process:

  1. You direct the user to the Instagram website to allow access to your application
  2. You get given a code back from Instagram
  3. Use this code to send a cURL request to Instagram to get an access_token

As you can see there are a few steps of back & forth, but it makes sense once you understand the full flow.

Send the user to Instagram

This is straight forward, you generate a URL for the user to go to using the aforementioned Client ID that you got after registering, and the Redirect URI that you provided during registration. For a Client ID of 12345 and a Redirect URI of I would generate a URL as such:

Receive the code

When the user has provided access to your application, they will get sent back to your redirect_uri that you put above with a query string attached called code - you will then be able to access this through using $_GET['code'].

If there are any errors returned, there will be the following query string items returned:

Request access_token

Here is where the fun starts, and the serious authentication works out, we now need to do a cURL request to Instagram to get the user and their access_token to store in the database for later use.

You will want to send a POST request to the endpoint with the following parameters:

If your cURL request goes through correctly and without issue, you will get a response which lists

You should store these 5 items, and then you can use them later to make any requests to the API that require authentication.


Never assume that the access_token you have will always work - you should cater for the possibility of a request failing in all of your requests at all stages of the process.

You are able to request an extra level of access when you send the user off to Instagram in the first instance by appending an additional query string called scope with one or many (+ separated) of the following parameters:

Final Thoughts

While this example is based around Instagram, I hope it highlights the requisites of the oAuth methodology - the fact that there are 3 steps to the process. If you're working with Twitter and want to authenticate yourself for your own application, the developer control panel is able to give you your user access tokens for that application without having to code your own authentication procedure.

Tags: PHP, cURL