Togo ID

The Togo Group Developer Hub

Welcome to the Togo Group developer hub. You'll find comprehensive guides and documentation to help you start working with Togo Group as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    API Reference

Authentication flows

Togo ID supports the following authentication methods:

The Authorization Code Flow is intended for clients that can securely maintain a client secret between themselves and the authorization server, whereas the Implicit Flow is intended for clients that cannot.

The Hybrid Flow combines aspects of the Authorization Code Flow and the Implicit Flow. It enables clients to obtain an ID Token optionally an Access Token with only one round trip to the authorization server.


Access User Resource

Requires Secret Key (Server-side)

Authorization Code









How to choose an OAuth 2.0 flow?

The authorization code flow is suitable for long-running applications, such as mobile apps, in which the user grants permission only once. It provides an access token that can be refreshed. Since the token exchange involves sending your secret key, perform this on a secure location, like a backend service, and not from a client such as a browser or from a mobile app.

If you are building single-page applications (SPA) and websites that have no back end logic on the webserver, then the Implicit flow is the recommended method for controlling access between your application and a resource server. Since the SPA is a public client, it is unable to securely store a client secret.

The Hybrid flow is an OpenID Connect (OIDC) grant that enables use cases where your application can immediately use an ID token to access information about the user while obtaining an authorization code that can be exchanged for an Access Token, therefore, gaining access to protected resources for an extended period of time.

Updated about a year ago

Authentication flows

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.