Setting up an authorization code application
Step 1. Authorization Code Setup
Creating an authorization code app
- Once you have logged in to the Criteo Partners Portal, create a new App by clicking on ➕ button in the My apps section
1.1. Create app
- App details
- Provide your app name and description. You can also provide an optional image to identify your application. On your App page, you will be able to define the scope of your application and the OAuth parameters. Please see this page to see more details on how to define your app scope.\

- Provide your app name and description. You can also provide an optional image to identify your application. On your App page, you will be able to define the scope of your application and the OAuth parameters. Please see this page to see more details on how to define your app scope.\
- Authentication method
- Select your app authentication method. You will have the option to select Client Credentials or Authorization Code. To decide which option is best for your organization, review our OAuth implementation guide.\

- Select your app authentication method. You will have the option to select Client Credentials or Authorization Code. To decide which option is best for your organization, review our OAuth implementation guide.\
1.2. App activation
- Service
- Select which Criteo service you want to use your API application with. Chose C-Growth for marketing solutions or C-Max for retail media\

- Select which Criteo service you want to use your API application with. Chose C-Growth for marketing solutions or C-Max for retail media\
1.3. Authorizations
- Domains
- Select the domains to choose which permission access your application will need\

- Select the domains to choose which permission access your application will need\

Step 2. Set Up Your OAuth Parameters
Once you have defined the scope of your application, you will be able to set what you need for the authorization code workflowParameters | Description |
|---|---|
| Your public key accessible in the app credentials section. You can add up to 5 pairs of credentials. Can be added and managed also once the App has been activated. |
| Your secret key, accessible only once when creating a pair of client_id and client_secret in the credentials section. You can add up to 5 pairs of credentials. Can be added and managed also once the App has been activated. |
| The URL to redirect the user to after consent delegation. HTTPs protocol required. You can add up to 30 redirect URIs. Can be added and managed also once the App has been activated. |
2.1. - Consent URL Creation
Once you have defined the parameters of your App you can start implementing your authorization code flow. Consent URL- To request access to a user’s data, you will create a Consent link (to be sent to the user or implemented through a button in your platform that will redirect the user to the link) with the following structure and parameters:
Parameters | Required | Description |
|---|---|---|
| Yes | Indicates that an authorization code is expected as the outcome. |
| Yes | Your public key, accessible in the app credentials section. |
| Yes | The URL to redirect the user to after consent delegation. HTTPS protocol required. Defined in the redirect URI section in the Developer Dashboard. |
| No | A string that you can provide and that will be returned as-is in the final redirection (usually used to prevent Cross-Site Request Forgery attacks). |
- The Consent link will direct your user to Criteo Consent page will look like this example:

- The user will be able to choose what advertiser(s) from their portfolio they want to give access to.
- The user will approve the request by clicking on “Approve”
- The
client_iddoes not match any published API app. - The
redirect_uriis not authorized (e.g not accessible from public network) - An unexpected error occurred in our backend.
2.2. - Redirection and Access Code
Once the user has completed the Consent Delegation flow, we redirect your user to the following URL:redirect_uri and the following query parameters:
Parameter | Description |
|---|---|
| An authorization code valid for 30 seconds, usable only once. |
| The state parameter that you originally provided (returned as-is). |
redirect-uri but with an ‘error’ query parameter instead of a ‘code’.
Step 3. Exchanging Access Code For Access Token
Now that you have an authorization code, you can trade it for an access token by making the following POST call. Your call will need to be setup this way:Parameter | Description |
|---|---|
| Indicates that you are providing an authorization code |
| Authorization code returned during redirection |
| Must match the |
| Your public key accessible in app credentials section |
| Your secret key, accessible only once when creating a pair of |
Parameter | Description |
|---|---|
| A short-lived (valid for 900 seconds) access token* |
| A long-lived refresh token (that expires after 6 months) that can be used to renew the access token (see next section). |
| Type of token. |
| Lifetime of the token in seconds. |
3.1. - Using Refresh Token
When an access token is close to expiration, you can get a new one using a refresh token via the following request:Parameter | Description |
|---|---|
| Indicates that you are providing a refresh token. |
| Refresh token shared when requesting an access token. |
| Your public key, accessible in the app credentials section. |
| Your secret key, accessible only once when creating a pair of client_id and client_secret in the credentials section. |
Demo
Below you can find a code for a demo application in NodeJS that uses Express JS framework.How to run the demo?
- Run
npm install - Connect to the developer portal and create an app according to the instructions above
- Create an “Authorization code” app.
- Generate app credentials and enter the client_id and client_secret in index.js.
- Register “http://localhost:3000/criteo-auth/callback” as the redirect URI.
- Run
npm run start - Open http://localhost:3000
client_id and client_secret are compromised?You will need to delete the set of credentials in the App page and create a new one. You will need to request access again to your users.