Difference between S2S and Auth Code Flow tokens

There are different ways of API usage. One implements interactive application that works with users through the user interface. For example:

  • a telegram bot (e.g. @CryptocurrencyAssistantBot)
  • online trade automation services
  • desktop applications

For this purpose the developers of the application create their client and the application's endusers have just to grant it access to specified scopes through the "Authorization Code Flow" approach (more details: https://tools.ietf.org/html/rfc6749#section-4.1).

Another type of applications is server-to-server applications that work unintended and do not need any interaction with user. For example trade bot that works on the dedicated (or virtual) server and implements a trade strategy for owner. In this case the user has just to setup the strategy rules, set some limitations and run the bot.
It will use API to subscribe to websocket, analyse the market, make orders etc without the user decision.

How to get S2S token

Previously it was not obvious for developers how to obtain access tokens for server-2-server integrations as tokens generation required the OAUTH2 flow.
Now it is much easier to get your access tokens for S2S integrations. All you need is open the profile settings, scroll down to the Server-To-Server Integrations section:

Read carefully the description and warning before proceeding.
To obtain the S2S access token you have to click the button and fulfil the following form:

The first input is a name you want to give to the token (its for you to understand what the token is for).
Then you need to tick all the needed scopes (please only choose those you really need to be more secure)
After clicking the "Save" button your request will be immediately handled and new token with selected scopes will be generated.
The token will appear below on the form:

Please note you will not be able to see this token again! So copy it before closing the form.

Revoking the access token

You have to pay attention to the issued tokens. As soon as token is not needed you have to revoke it. In case you suspect your token was stolen you have to revoke it immediately.
To revoke the issued access token open the "Profile settings", scroll down to Server-To-Server Integrations section. You will see the table there that lists all the tokens you've generated:

Click "revoke" link to revoke the token.

Did this answer your question?