Authentication Password Flow


Password flow must be explicitly approved on a per-client basis, by a Pnut administrator.

Request access by E-mailing, telling what platform the app runs on, and the client ID. If access is granted, you will be able to get your password_grant_secret from the client settings in the developer area.

Do not save the user's password. You should take every measure to respect the user's security.

Where another flow is practical, use it. For your own projects and single-instance clients, you can authorize and retrieve a token for yourself directly from the client's developer page, or you can use web flows.

You must display the scopes that you will be authorizing, somewhere before users login, even if on a linked section of your app.


Retrieve the user's username or E-mail address, and password, directly from them.

Now make a POST call with what you now have:

curl "" \
  -d "client_id=[client ID]" \
  -d "password_grant_secret=[stand-in for the client secret]" \
  -d "username=[username or E-mail address]" \
  -d "password=[account password OR one-time use password]" \
  -d "grant_type=password" \
  -d "scope=[comma-delimited scopes]" \

A JSON response will be returned in the form of:

{"access_token":ACCESS_TOKEN, "token":{"...Token object..."}, "user_id":USER_ID, "username":USERNAME}

Every time a user is authorized using the password flow, they are sent an E-mail saying what client they were authorized for and what scopes.