Authorization Code Flow

The Authorization Code flow enables your application to make API requests on behalf of Central Dispatch customers. Users will authenticate through the standard Central Dispatch login page, after which you'll receive an authorization code to exchange for a service token.

Implementation Steps

First, redirect the user to the Central Dispatch authorization endpoint:

GET https://id.centraldispatch.com/connect/authorize

Required Query Parameters

Key	Description
client_id	An ID that was assigned to your company by Central Dispatch.
grant_type	This field should always contain the value `authorization_code`.
response_type	This field should always contain the value `code`.
redirect_uri	The URI of where you want the user to be redirected after logging in.
scope	A space delimited list of scopes will be provided to you by Central Dispatch. The example below is asking for access to the listing service as well as requesting a refresh token.

Example Request

https://id.centraldispatch.com/connect/authorize?client_id=YOUR_CLIENT_ID&grant_type=authorization_code&response_type=code&redirect_uri=https://your-app.com/callback&scope=marketplace%20offline_access

2. Exchange Authorization Code for Service Token

After the user successfully authenticates you will receive an authorization code at the redirect_uri as a query string parameter.

Example of Redirect URL:

https://your-app.com/callback?code=72B5DA002A61DF3AD3CD12E02C37F9B42F0B62FE1F5AB15A9E0B2A49032978B4-1&scope=marketplace offline_access&iss=https://id.centraldispatch.com

The authorization code should be exchanged for a service token on behalf of the user at:

POST https://id.centraldispatch.com/connect/token

Required Request Body Parameters

Parameter	Description
client_id	An ID that was assigned to your company by Central Dispatch.
client_secret	The client secret that was assigned to your company by Central Dispatch.
grant_type	Must be `authorization_code`.
code	The authorization code from step 1.
redirect_uri	Same URI used in step 1.

Example Token Request

curl -X POST https://id.centraldispatch.com/connect/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET" \
-d "grant_type=authorization_code" \
-d "code=RECEIVED_AUTH_CODE" \
-d "redirect_uri=https://your-app.com/callback"

Successful Token Response

{
  "access_token": "eyJhbGciOiJSUzI1...",
  "expires_in": 3600,
  "token_type": "Bearer",
  "refresh_token": "def50200641f..."
  "scope": "listing_service offline_access"
}

3. Refresh Token Usage

When the service token expires, use the refresh token to obtain a new one:

POST https://id.centraldispatch.com/connect/token

Required Refresh Request Parameters

Parameter	Description
client_id	An ID that was assigned to your company by Central Dispatch.
client_secret	The client secret that was assigned to your company by Central Dispatch.
grant_type	Must be `refresh_token`.
refresh_token	The refresh token from previous response.

Example Refresh Request

curl -X POST https://id.centraldispatch.com/connect/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET" \
-d "grant_type=refresh_token" \
-d "refresh_token=PREVIOUS_REFRESH_TOKEN"

Successful Token Response

{
  "access_token": "eyJhbGciOiJSUzI1...",
  "expires_in": 3600,
  "token_type": "Bearer",
  "refresh_token": "def50200641f..."
  "scope": "listing_service offline_access"
}

Important Notes

Store refresh tokens securely.
Refresh tokens are single-use only.
New service tokens include new refresh tokens.
All requests require HTTPS.
Use Content-Type: application/x-www-form-urlencoded for token requests.
Access Token expiration: ~30 minutes.
Refresh Token expiration: after single use.
Central Dispatch customer = user