Skip Main Navigation
Page Content

Authentication

The Eventbrite API uses OAuth2 for authentication; while it’s a reasonably simple protocol, it’s also not very strongly specified, so make sure you read the documentation below to make sure you’re using it correctly.

  • OAuth authorize URL:

    https://www.eventbrite.com/oauth/authorize
  • OAuth access token URL:

    https://www.eventbrite.com/oauth/token

Getting a token

All API requests must be authenticated with a valid OAuth token. Tokens are tied to user accounts; if you’re just using the API for a single user or organizer, then follow Personal Tokens; if you’re using the API for many Eventbrite users, then follow OAuth Token Flow.

Personal Tokens

As many of our API users are just doing an integration for a single user or organizer, we have a streamlined workflow for users to get an OAuth token just to represent themselves.

All you need to do is visit your apps page, and make sure you have at least one app created. Every app you own will have a “Your OAuth Token” entry; click “Show” on that to reveal a premade OAuth token for your account.

OAuth Token Flow

If you’re accessing the API on behalf of users other than yourself - for example, if you’re a service building on top of Eventbrite - you’ll need to do the full OAuth token flow for each user that you want to access us on behalf of.

Visually, the users will go from your website or application to our website, confirm that they want to allow access to your application, and then we’ll redirect back to you with a token you can store and use to access the API on their behalf.

Sometimes, the tokens may expire (for example, if the user changes their password); in this case, you’ll get an error back that the token is invalid and you should direct the user through the flow once again. If a user still has your app approved, we’ll just redirect back to you immediately with a new token, skipping the approval screen.

To authenticate users via the API, you’ll need the following details (available on your apps page):

  • Client Key: Identifies your app during the OAuth handshake. Not secret.
  • Client Secret: Identifies your app during a server-side handshake. Secret.
  • Redirect URI: The URI we’ll redirect users to once they approve your app. You need to set this in the Eventbrite app settings.

Client-side flow

To authenticate a user from a client-side (JavaScript) application, simply redirect your users to the following url:

https://www.eventbrite.com/oauth/authorize?response_type=token&client_id=YOUR_CLIENT_KEY

The user will see an Approve/Deny page. When they hit either option, they’ll be redirected back to your Redirect URI; if they hit “approve”, there will also be an OAuth token in the hash fragment of the URL.

Server-side flow

To authenticate a user from a server-side application, first redirect them to our authorization URL:

https://www.eventbrite.com/oauth/authorize?response_type=code&client_id=YOUR_CLIENT_KEY

The user will see an Approve/Deny page. When they hit either option, they’ll be redirected back to your Redirect URI; if they hit Approve, then there will be a code query parameter on the end of the URL representing an access code.

You must then exchange this access code for an OAuth token. Send a POST request to:

https://www.eventbrite.com/oauth/token

This POST must contain the following urlencoded data, along with a Content-type: application/x-www-form-urlencoded header:

code=THE_USERS_AUTH_CODE&client_secret=YOUR_CLIENT_SECRET&client_id=YOUR_API_KEY&grant_type=authorization_code

The subsequent POST will contain the user’s access_token.

Authenticating requests

Once you have an OAuth token, you must include it on all requests - every request to the OAuth API must be authenticated, no anonymous access is allowed.

You have two options to pass the token: using the authentication header (preferred) or as a query string parameter

Authorization header

Just include an Authorization header with the value Bearer MYTOKEN:

Authorization: Bearer SESXYS4X3FJ5LHZRWGKQ

Query string parameter

Include the token on the end of the URL as the token parameter:

https://www.eventbriteapi.com/v3/users/me/?token=SESXYS4X3FJ5LHZRWGKQ