aniSearch OAuth 2.0 Authorization Guide v2025-05-01

← Back to API Access at aniSearch

This document describes how third-party applications can obtain and refresh OAuth 2.0 tokens to access the aniSearch API on behalf of a user. It covers the endpoints, typical token lifetimes, and example requests without delving into internal implementation details.

For questions regarding the API or this documentation, please contact api@anisearch.com.

Base Domains
Overview
Client Registration
Available Scopes
Obtaining Access Tokens (Authorization Code Flow)
Refreshing Access Tokens
Revoking Tokens
Common Error Codes
Calling the API
- User API
- Ratings API

Note on API Rate Limits: Be mindful of API rate limits when making requests.
Excessive requests may lead to temporary blocking (HTTP 429 Too Many Requests).

Important: API requests must include a meaningful User-Agent header. Requests with missing or generic user agents may be blocked with HTTP 403 due to automated abuse protection, and may temporarily result in your IP address being denied further access. Please identify your application clearly by using a custom user agent string, such as: MyApp/1.0 (contact@example.com).

Base Domains

The aniSearch website and OAuth endpoints are available under different domains corresponding to different languages. The API itself is accessed via api.anisearch.com.

Use the base domain that matches the user’s language preference when constructing OAuth endpoint URLs.

Language	{BASE_DOMAIN}
English	`https://www.anisearch.com`
German	`https://www.anisearch.de`
Spanish	`https://www.anisearch.es`
French	`https://www.anisearch.fr`
Italian	`https://www.anisearch.it`
Japanese	`https://www.anisearch.jp`

Overview

The aniSearch API uses the OAuth 2.0 protocol for authentication and authorization.

Currently supported grant type:

Authorization Code Grant with Proof Key for Code Exchange (PKCE).

OAuth Endpoints

Endpoint	URL
Authorization	`{BASE_DOMAIN}/oauth/authorize`
Token	`{BASE_DOMAIN}/oauth/token`
Revocation	`{BASE_DOMAIN}/oauth/revoke`

Token Details

Item	Details
Access Token Lifetime	1 hour
Refresh Token Lifetime	30 days
PKCE Challenge Method	`S256`. The server is configured to reject the `plain` method.
Client Authentication (Token/Revoke)	Token Endpoint: HTTP Basic Auth or Request Body Parameters. Revocation Endpoint: HTTP Basic Auth required.

Client Registration

Before you can start the authorization process, you need to register your application with aniSearch. Registered users can manage their OAuth applications via the Apps tab within their user control panel.

During registration, you will need to provide an application name and a Redirect URI where users will be sent back after authorization. Currently, only one Redirect URI can be registered per application.

Upon successful registration, you will receive a unique client_id and client_secret. Ensure you store these client credentials securely.

Compatible Clients Listing: We list compatible clients in the sidebar of the user’s app management area. If your client is compatible and you’d like it to be listed, please contact us.

Available Scopes

Scopes define the level of access your application requests from the user. Request only the scopes necessary for your application’s functionality.

Scope Identifier	Description
`user.profile`	Allows reading your username.
`ratings.anime`	Allows reading, creating, editing, and deleting the user’s anime ratings and list entries.
`ratings.manga`	Allows reading, creating, editing, and deleting the user’s manga ratings and list entries.
`database.anime`	Allows reading the user’s own database submissions, creating new database entries, editing existing entries, and deleting the user’s own submissions (for anime, manga, or merchandise respectively). Note: All database modifications submitted via the API are subject to review and approval by aniSearch supervisors before becoming publicly visible.
`database.manga`
`database.merchandise`

Obtaining Access Tokens (Authorization Code Flow)

This flow allows users to grant your application access to their aniSearch data without sharing their credentials.

Step 1: Generate Code Verifier and Challenge (PKCE)

To implement the PKCE requirement, your application must first generate a cryptographically random code_verifier and the corresponding code_challenge.

<?php
// Generate a high-entropy random string for the code verifier (min 43, max 128 chars)
$codeVerifier = bin2hex(random_bytes(32)); // Creates a 64-character hex string

// Store $codeVerifier in the user’s session or similar temporary storage for Step 5
$_SESSION['code_verifier'] = $codeVerifier;

// Generate the S256 code challenge required by the server
// This process:
// 1. Creates a binary SHA-256 hash of the code verifier (hash function with 'true' parameter)
// 2. Base64-encodes this binary hash
// 3. Replaces URL-unsafe characters and removes padding to make it URL-safe
$codeChallenge = rtrim(strtr(base64_encode(hash('sha256', $codeVerifier, true)), '+/', '-_'), '=');

Step 2: Request Authorization

Redirect the user’s browser to the aniSearch authorization endpoint (e.g., {BASE_DOMAIN}/oauth/authorize) with the following query parameters:

GET {BASE_DOMAIN}/oauth/authorize?
    response_type=code
    &client_id=YOUR_CLIENT_ID
    &redirect_uri=YOUR_REGISTERED_REDIRECT_URI
    &scope=DESIRED_SCOPES
    &state=CSRF_PROTECTION_STATE
    &code_challenge=YOUR_GENERATED_CODE_CHALLENGE
    &code_challenge_method=S256

Parameter	Description
`response_type`	Required Must be `code`.
`client_id`	Required Your application’s client ID obtained during registration.
`redirect_uri`	Required Must exactly match the URI you registered for your client.
`scope`	Optional A space-separated list of permission scopes you are requesting (see Available Scopes). If omitted, default scopes may be granted.
`state`	Recommended An opaque value used to maintain state between the request and callback, protecting against Cross-Site Request Forgery (CSRF). Verify this value in Step 4.
`code_challenge`	Required The PKCE code challenge (Base64url-encoded SHA256 hash of the code_verifier) generated in Step 1.
`code_challenge_method`	Required Must be `S256`.

Step 3: User Authentication & Authorization

aniSearch will prompt the user to log in (if they aren’t already). The user will then be presented with a consent screen asking them to authorize the requested scope(s) for your application. The user can approve or deny the request.

Step 4: Receive Authorization Code

If the user approves, aniSearch redirects the browser back to your specified redirect_uri with an authorization_code and the state parameter you initially provided:

HTTP/1.1 302 Found
Location: YOUR_REGISTERED_REDIRECT_URI?code=AUTHORIZATION_CODE&state=CSRF_PROTECTION_STATE

Your application must:

Verify that the received state parameter exactly matches the one generated and stored before Step 2.
Extract the authorization_code. This code is short-lived (valid for 10 minutes) and can only be used once.

Authorization Code Rate Limit: Please note that there is a rate limit on requesting authorization codes. A single user can request a maximum of 3 codes for your client application within a 5-minute period. Further requests within that window will result in an error (HTTP 429 Too Many Requests).

Step 5: Exchange Authorization Code for Tokens

Your application’s backend server makes a POST request to the aniSearch token endpoint (e.g., {BASE_DOMAIN}/oauth/token) to exchange the authorization_code for an access token and a refresh token.

Client authentication is required. You can either use HTTP Basic Authentication (preferred: `Authorization: Basic BASE64(client_id:client_secret)`) or include the client_id and client_secret in the request body.

Request (using request body parameters for client auth):

POST {BASE_DOMAIN}/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=AUTHORIZATION_CODE_FROM_STEP_4
&redirect_uri=YOUR_REGISTERED_REDIRECT_URI
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
&code_verifier=YOUR_CODE_VERIFIER_FROM_STEP_1

Parameter	Description
`grant_type`	Required Must be `authorization_code`.
`code`	Required The authorization code received in Step 4.
`redirect_uri`	Required The same redirect URI used in Step 2.
`client_id`	Required Your application’s client ID.
`client_secret`	Required Your application’s client secret. (Omit if using Basic Auth).
`code_verifier`	Required The original, plain-text PKCE code verifier generated in Step 1 and retrieved from the user’s session.

Successful Response (HTTP 200 OK):

aniSearch validates the request (including the code_verifier against the code_challenge associated with the code) and returns a JSON response containing the tokens:

{
  "token_type": "Bearer",
  "expires_in": 3600,
  "access_token": "ACCESS_TOKEN_STRING",
  "refresh_token": "REFRESH_TOKEN_STRING"
}

The response includes the following fields:

Field	Description
`token_type`	Always "Bearer". Indicates the token type for the `Authorization` header.
`expires_in`	The lifetime of the access token in seconds (e.g., 3600 for 1 hour). Calculate the actual expiry time upon receiving the token.
`access_token`	The token used to authenticate API requests. Valid for 1 hour.
`refresh_token`	Used to obtain a new access token when the current one expires. Typically valid for 30 days. Store this securely.

Store the access_token and refresh_token securely, associated with the user.

Refreshing Access Tokens

When an access token expires (after 1 hour), use the corresponding refresh token to obtain a new access token without requiring user interaction, as long as the refresh token is still valid (within 30 days) and hasn’t been revoked.

Make a POST request to the token endpoint (e.g., {BASE_DOMAIN}/oauth/token). Client authentication (Basic Auth or request body parameters) is required, just like in Step 5.

POST {BASE_DOMAIN}/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&refresh_token=USER_REFRESH_TOKEN
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET

Parameter	Description
`grant_type`	Required Must be `refresh_token`.
`refresh_token`	Required The refresh token obtained previously for the user.
`client_id`	Required Your application’s client ID.
`client_secret`	Required Your application’s client secret. (Omit if using Basic Auth).

The response format upon success (HTTP 200 OK) is the same as in Step 5 of the authorization flow, providing a new access token and potentially a new refresh token. Always store the latest refresh token received, as older ones might be invalidated.

If the refresh token is invalid or expired, the server will return an error (e.g., `invalid_grant`), and you must prompt the user to re-authorize your application via the full Authorization Code flow (starting from Step 2).

Revoking Tokens

To invalidate a refresh token or an access token (e.g., when a user logs out of your application or explicitly disconnects it), make a POST request to the revocation endpoint (e.g., {BASE_DOMAIN}/oauth/revoke).

Client authentication via HTTP Basic Authentication is required for this endpoint.

POST {BASE_DOMAIN}/oauth/revoke
Authorization: Basic BASE64_ENCODED(YOUR_CLIENT_ID:YOUR_CLIENT_SECRET)
Content-Type: application/x-www-form-urlencoded

token=TOKEN_TO_REVOKE
&token_type_hint=HINT

Parameter	Description
`token`	Required The access token or refresh token string to be revoked.
`token_type_hint`	Optional Can be `access_token` or `refresh_token` to help the server find the token faster. If omitted, the server will check for both types.

A successful revocation always returns an HTTP 200 OK status code with an empty body, regardless of whether the token was found and revoked or was already invalid. Your application should remove the revoked token(s) from its storage.

Common Error Codes

When requests to the OAuth endpoints fail, the server returns an error response in JSON format as defined in the OAuth 2.0 specification. Understanding these errors can help you troubleshoot issues and implement appropriate handling in your client.

Error Code	Description
invalid_request	The request is missing a required parameter, includes an invalid parameter value, or is otherwise malformed. Check your request format and ensure all required parameters are included.
invalid_client	Client authentication failed. Verify your client credentials are correct and you’re using the proper authentication method (Basic Auth or request body parameters as required).
invalid_grant	The provided authorization grant (e.g., authorization code, refresh token) is invalid, expired, or revoked. For authorization codes (valid only for 10 minutes), request a new code. For refresh tokens, prompt the user to re-authorize.
unauthorized_client	The client is not authorized to use the requested grant type. Contact aniSearch support if you believe this is in error.
unsupported_grant_type	The requested grant type is not supported by the authorization server. Use only the supported grant types documented here ("authorization_code" or "refresh_token").
invalid_scope	The requested scope is invalid, unknown, or malformed. Reference the Available Scopes section.
server_error	The server encountered an unexpected condition. This is not an issue with your implementation. If persistent, contact aniSearch support.
temporarily_unavailable	The authorization server is currently unable to handle the request due to temporary overloading or maintenance. Implement exponential backoff and retry logic after a reasonable delay (at least 5 seconds).
invalid_redirect_uri	The redirect URI in the request does not match the one registered for the client. The match must be exact, including protocol (http vs https), trailing slashes, and case-sensitivity.
access_denied	The resource owner or authorization server denied the request. This typically occurs when the user explicitly denies authorization or user permissions for requested scopes were revoked.

Error responses are returned with an appropriate HTTP status code (typically 400 for client errors, 401 for authentication failures, and 500 for server errors) and include a JSON body with the following structure:

{
  "error": "error_code",
  "error_description": "Human-readable explanation"
}

Always handle these errors gracefully in your application, showing appropriate messages to users and implementing retry logic where appropriate.

Calling the API

Once you have a valid access token, you can make requests to the aniSearch API endpoints hosted at https://api.anisearch.com/v1/.

Include the access token in the Authorization HTTP header using the Bearer scheme:

Authorization: Bearer YOUR_ACCESS_TOKEN

The specific API resources you can access depend on the scopes granted by the user:

User API

Purpose: Allows reading your username.

Required Scope(s): user.profile

Detailed documentation: User API

Ratings API

Purpose: Manage user ratings and list entries for anime and manga.

Required Scope(s): ratings.anime and/or ratings.manga

Detailed documentation: Ratings API

Database API

Purpose: Submit new entries or modifications to the aniSearch database (subject to supervisor review).

Required Scope(s): database.anime, database.manga, and/or database.merchandise

Detailed documentation: Database API

If an API request fails with an authentication error (e.g., HTTP 401 Unauthorized), it likely means the access token has expired or been revoked. You should attempt to refresh the token using the refresh token (see Refreshing Access Tokens). If refreshing succeeds, retry the original API request once with the new access token. If refreshing fails, the user needs to re-authorize.