Use OAuth 2.0 tokens from your site for authorization in dialog

If you have integration with one of social networks or cloud services through OAuth 2 and want to reuse user’s token in the Uploadcare widget, you can use API for that:

  1. First, you need to check that you request all permissions required for Uploadcare widget’s normal work. You can find the full list in the Required Permissions section of this document.
  2. It is only possible to set a token from the client. If you are using tokens only on the server side, you’ll need to temporarily transfer them to the client and send requests from the browser. Please, make sure that your site is served via HTTPS, otherwise, this is a huge security vulnerability.
  3. If you are using custom OAuth apps, it will take some extra work to make everything work together.
  4. You will need to send GET request to the following URL:[storage_key]/set_keys. For what is [storage_key], see the Storage Key section of this document.

You’ll need to send the following information through query string:

  • public_keyrequired. The public key of your Uploadcare project.
  • access_tokenrequired. The access token issued by the authorization server.
  • token_typerequired. The type of the token issued by the authorization server. In most cases, it is Bearer.
  • refresh_tokenoptional. The refresh token, which can be used to get new access tokens using the same authorization grant.

The request can be sent at any time. The best moment is when the user is logged in to your site through OAuth 2.0. But if you already have a lot of logged in users, you may need to send this request on a page load.

Keep in mind that for security reasons, it is not possible to use tokens from the widget in your apps. You can only expose your keys to Uploadcare.

Storage Key Explanation

The storage key is a part of a URL, which you (and Uploadcare widget) use for communication with social services. In simple cases, this is the service name. For example: box, huddle, flickr, evernote, instagram, vk, skydrive, facebook, dropbox, and gdrive.

But if you are using custom OAuth apps for your project, these keys will be different. The easiest way to find out the right storage key is to look for it in the browser’s developer panel. Open the widget on the tab you are interested in and find the request to

Required Permissions

Some of the services need extra permissions to work with Uploadcare. Here is the full list of them:

  • Facebook: user_photos, user_videos, user_likes, user_friends
  • Google Drive:
  • OneDrive: wl.offline_access, wl.skydrive
  • VK: friends, photos,docs, offline

@Alex where can I see all API options available for the endpoint like the ‘set_keys’? Thank you in advance!

Hi @itlicenses, I’m afraid we don’t have public docs for this API. Could you tell me what exact functionality you’re looking for?

Hello @Alex , thanks for the reply. I am trying to do the log out from the uploadcare-widget programmatically, I found in its source code that it deletes the localStorage key for the social network it’s currently logged in, but since the widget injects the uploadcare website for that social tab (ex: OneDrive:, from the parent website I cannot erase that iframe localStorage (CORS), so I was wondering if there is any API call or trick to perform the logout programmatically from the parent website.