# Authorization flow

Marketplace applications make use of the standard OAuth2 Authorization Code flow:

**1. Redirect the user to the authorization page**

Redirect the user's browser to `https://client.memo.bank/authorize` with the following query parameters:
- `client_id` — your application's client ID;
- `redirect_uri` — one of your registered redirect URIs;
- `scope` — space-separated list of requested scopes;
- `state` — an opaque value to maintain state between the request and callback.

**2. User approves access**

The user reviews the requested permissions and approves. They are then redirected to your `redirect_uri` with a `code` in the query parameters.

If the user denies the access or if an error occurs, they are redirected to your `redirect_uri` with an `error` and optionally an `error_description` in the query parameters. 

**3. Exchange the code with a token**

Make a `POST` request to `/oauth2/token` using the `authorization_code` grant type, along with the `code` you received during the previous step, as well as your `redirect_uri`, `client_id` and `client_secret`.

See the API reference for the [OAuth2 token endpoint](#operation-createtoken) below for more details.

**4. Refresh your access tokens**

Use the `refresh_token` grant type to obtain new access and refresh tokens without requiring the user to re-authorize your  application.

**Token lifetimes:**
- Access token: **2 hours**.
- Refresh token: **14 days** (single use).
- Authorization code: **5 minutes** (single use).