For Client-Side Applications

Harvest uses the Implicit Grant flow for client-side authorization.

1. Redirect users to Harvest to authorize their accounts with your application.

GET https://example.harvestapp.com/oauth2/authorize?client_id={client ID}&redirect_uri=https%3A%2F%2Fexample.com%2Fredirect_path&state=optional-csrf-token&response_type=token

To limit access to a single Harvest account, you can specify a specific web address in place of api.harvestapp.com.

2. Get the access token when Harvest redirects back to your application. Harvest sends it to your redirect URI as a hash parameter.

GET https://example.com/redirect_path#access_token={access token}&expires_in=64799&state=optional-csrf-token&token_type=bearer

3. Use the access token to send authorized requests to the Harvest API.

Note: the Content-Type and Accept headers for this request must be application/json or application/xml.

GET https://example.harvestapp.com/account/who_am_i?access_token={access token}