Please refer to the documentation link you shared, the process is fully documented there if you just read everything in order:

1. User navigates to URL


2. You get the code


3. You use the code to get the access token

But what code am I supposed to have gotten? I went to the URL where it has the big blue “Allow access” button, and it took me back to my app. Was something else supposed to happen here?

Where would I find the “code” you are mentioning?

Like I see in the documentation that it says

Please check that the state parameter passed back to you is the same as the one originally generated.

But I have not even opened a code editor, how could there be code passed back to me? I checked the console and cookies, but I don’t see anything. And isn’t the state parameter just the word “state”?

Thanks!

Have you noticed this example?

After you click allow, you will be redirected to your callback url with these parameters. This way your website will have access to these parameters through processing this request. You can do it either on the server side or client side.

OH IT’S IN THE LITERAL URL; THANK YOU! I never would have even thought to check there.

Ok but I am still confused about what to fill in for the post request?

So now I have changed it be:

POST https://www.figma.com/api/oauth/token?

  client_id=dmy client ID from the "My Apps" Page]&

  client_secret=tthe original token I got when I made the new app]&

  redirect_uri=https://internalsitename.com/&

  code=ething that code was equal to in the callback URL]&

  grant_type=authorization_code



{

  "user_id": :My email that I use with figma],

  "access_token": :HOW WOULD I KNOW THIS????],

  "expires_in": :OR THIS???],

  "refresh_token": :OR THIS???]

}

But what do I put in the body of the request? Where is that information? Is there a secret GET request to get that information ahead of this step?

I have tried running the POST request without a body at all, but I am still getting the same “Parameter client_id is required” error.

I also notice the documentation says

and code must match the authentication code provided to your callback

For the definition of the redirect_url, so I tried putting in the callback URL to that argument, but it made no difference.

Thanks for all your help so far!!

I think you are reading this wrong. This is not the body, this is the outline of the response you’ll be getting by making that post request above.

I missed this part. Can you double check that the client ID is correct and the request is typed correctly? Maybe you missed a ? or & somewhere?

Ah, this is embarassing. Apparently in Postman, the new line characters that come when you copy and paste from the documentation mess up everything.

Ok, I officially have my tokens and everything, thanks so much for your help! I really appreciate it! Also your website is really pretty!