Difference between S2S and Auth Code Flow tokens

There are different ways of API usage. One implements interactive application that works with users through the user interface. For example:

  • a telegram bot (e.g. @CryptocurrencyAssistantBot)

  • online trade automation services

  • desktop applications

  • websites with access to users profile (like Jointer)

For this purpose the developers of the application create their client and the application's end users have just to grant it access to specified scopes through the "Authorization Code Flow" approach (more details: https://tools.ietf.org/html/rfc6749#section-4.1).

Another type of applications is server-to-server applications that work unintended and do not need any interaction with user. For example trade bot that works on the dedicated (or virtual) server and implements a trade strategy for owner. In this case the user has just to setup the strategy rules, set some limitations and run the bot.
It will use API to subscribe to websocket, analyze the market, make orders etc without the user decision.

How to get S2S token

All you need is open the profile settings, scroll down to the Server-To-Server Integrations section (or open this link):

API settings position in profile menu

Then choose Server-To-Server integrations in the sub-menu

Read carefully the description and warning before proceeding.
To obtain the S2S access token you have to click the button "New S2S token" and fulfill the following form:

The first input is a name you want to give to the token (its for you to understand what the token is for).
Then you need to tick all the needed scopes (please only choose those you really need to be more secure)
After clicking the "Save" button your request will be immediately handled and new token with selected scopes will be generated.
The token will appear on the form like this:

Please note you will not be able to see this token again! So copy it before closing the form.

Revoking the access token

You have to pay attention to the issued tokens. As soon as token is not needed you have to revoke it. In case you suspect your token was stolen you have to revoke it immediately.
To revoke the issued access token go to Server-Server integrations tab as described above. You will find a list of all active tokens there::

Click "revoke" link to revoke the token.

Did this answer your question?