Authenticating with the Meetup API

Most Meetup API endpoints require member authentication for context. We support four different authentication methods, suggested for different kinds of applications:

  • OAuth 2

    for apps that carry out actions for many Meetup users. The successor to OAuth 1.0a.

  • OAuth 1.0a

    for apps that carry out actions for many Meetup users.

  • API keys

    for server-side apps acting on behalf of a single user.

  • API key signatures

    for JavaScript apps that would expose any key in their source.

We support HTTPS for all API methods and strongly encourage using it for requests that have an API key parameter and for OAuth token exchange requests. HTTPS is required for OAuth 2 usage.

OAuth 2 authentication

The Meetup API provides support for OAuth 2, the superseding specification for OAuth 1, authentication. This protocol requires all client communication with the Meetup servers to use HTTPS. If your application does not, our servers will response with a 400 error and a message asking you to do so.

We provide implementations of both the server and implicit protocol flows. We provide the following endpoints for both where necessary.

EndpointURL
Authorizationhttps://secure.meetup.com/oauth2/authorize
Access Tokenshttps://secure.meetup.com/oauth2/access

Before you can use OAuth 2 for user authorization, you need to either register a new OAuth consumer or add a redirect_uri to your existing consumer by clicking the edit link next to you consumer's listing. The redirect_uri you register for a given client will be used to validate future oauth2 requests. Any redirect_uri parameter that starts with the registered uri will be considered valid. For instance if you register the uri http://foo.com, http://foo.com/authed will be considered valid while http://bar.foo.com will not.

OAuth 2 consumers are also valid OAuth 1.0a consumers.

Server Flow

This flow is suitable for applications that are capable of securely storing consumer secrets.

Requesting Authorization

Redirect your user to the following URL in a browser:

https://secure.meetup.com/oauth2/authorize
    ?client_id=YOUR_CONSUMER_KEY
    &response_type=code
    &redirect_uri=YOUR_CONSUMER_REDIRECT_URI

The redirect_uri used here may vary but must start with the same redirect_uri you have registered with your consumer.

Meetup will ask the user to login if they are not already logged in. If the user has previously authorized access for the provided client_id, Meetup will immediately redirect the user back to the redirect_uri with success query parameters. If the authenticated user has not previously authorized the provided client or has revoked its access, Meetup will prompt them to authorize your application. Afterwords, Meetup will redirect the user back to the provided redirect_uri along with their response.

A successful authorization will contain these query parameters:

ParameterDescription
codeA string that can only be used once to request an access token
stateAn opaque string that you may provide in the initial request

A failed authorization will contain an optional state parameter as mentioned above as well as an error query parameter with one of the following values

ErrorReason
invalid_requestThe request was malformed or missing parameters
unauthorized_clientThe client is not authorized
access_deniedThe user denied the request for authorization
unsupported_response_typeMeetup doesn't support the provided response_type
4xx or 5xxThe HTTP status code of any other error

Requesting Access Token

Have your server make an HTTP application/x-www-form-urlencoded encoded POST request for an access token with the following format:

https://secure.meetup.com/oauth2/access
with the body of the request being (line breaks are for readability)
client_id=YOUR_CONSUMER_KEY
&client_secret=YOUR_CONSUMER_SECRET
&grant_type=authorization_code
&redirect_uri=SAME_REDIRECT_URI_USED_FOR_PREVIOUS_STEP
&code=CODE_YOU_RECEIVED_FROM_THE_AUTHORIZATION_RESPONSE

The important parameter to note is grant_type which should be set to authorization_code. The redirect_uri used in this step must be the same redirect_uri used in the previous step.

We also support the usage of query string parameters for this method.

A successful response will contain the following data in application/json format

{
  "access_token":"ACCESS_TOKEN_TO_STORE",
  "token_type":"bearer",
  "expires_in":3600,
  "refresh_token":"TOKEN_USED_TO_REFRESH_AUTHORIZATION"
}

A failure response will contain an application/json encoded string with an error property containing one of the following values

ErrorReason
invalid_requestThe request was malformed or missing parameters
invalid_clientClient authentication failed
unauthorized_clientThe provided client was not authorized to use this grant type
invalid_grantThe provided code was invalid
unsupported_grant_typeMeetup does not support the provided grant type

Make authenticated requests

See the making authenticated requests section below

Implicit Flow

This flow is suitable for JavaScript based browser clients.

Requesting Authorization and Receiving Access Token

Redirect the user's browser to the following URL

https://secure.meetup.com/oauth2/authorize
   ?client_id=YOUR_CONSUMER_KEY
   &response_type=token
   &redirect_uri=YOUR_CONSUMER_REDIRECT_URI

This will ask the user to log in if they are not already logged in then prompt them to authorize your application.

The response parameters listed in the server flow's success (with the exception of refresh_token) and failure access token responses will be included in the implicit authorization's client response appended as a url fragment. Because this information is encoded in a url fragment, it can only be retrieved with client-side browser scripts.

Make authenticated requests

See the making authenticated requests section below

Refreshing Your Access Token

Once received, an access_token is only valid for use for one hour. This is indicated in the expires_in response parameter as seconds. You can refresh the access_token at any time and without involving the user by making a token refresh request. Note, this requires client credentials which users of the implicit flow should not be storing.

Refreshing Token

To refresh an access_token, have your server make an HTTP application/x-www-form-urlencoded encoded POST request for an access token with the following format, this time setting grant_type to refresh_token.

https://secure.meetup.com/oauth2/access
with the body of the request being (line breaks are for readability)
client_id=YOUR_CONSUMER_KEY
&client_secret=YOUR_CONSUMER_SECRET
&grant_type=refresh_token
&refresh_token=REFRESH_TOKEN_YOU_RECEIVED_FROM_ACCESS_RESPONSE

We also support the usage of query string parameters for this flow but the request method must be POST.

A successful response will contain the following data in application/json format

{
  "access_token":"ACCESS_TOKEN_TO_STORE",
  "token_type": "bearer",
  "expires_in":3600,
  "refresh_token":"TOKEN_USED_TO_REFRESH_AUTHORIZATION"
}

A failure response will contain an application/json encoded string with an error property containing one of the following values

errorreason
invalid_requestThe request was malformed or missing parameters
invalid_clientClient authentication failed
invalid_grantThe provided code was invalid
unauthorized_clientThe provided client was not authorized to use this grant type
unsupported_grant_typeMeetup does not support the provided grant type

Make authenticated requests

Note that after receiving the refreshed set of credentials, the previous set will have since been invalidated. You should discard the old values at this point.

See the making authenticated requests section below for use of your refreshed set of credentials

Making Authenticated Requests

After successfully obtaining member authorization and an access_token you may now make authenticated API requests using HTTPS by supplying the token value in an Authorization header prefixed with bearer and a space.

curl -H "Authorization: Bearer {access_token}" https://api.meetup.com/2/member/self/
or by sending the same access token as a request parameter
curl "https://api.meetup.com/2/member/self/?access_token={access_token}"

User Deauthorization

At any time, a user may choose to revoke access to your application here. This will invalidate any access credentials your application may have been provided for that user.

In order to re-obtain authorization, your application will need to re-request authorization from the user.

Access tokens received from the implicit oauth2 flow will also expire, regardless of the ageless scope, when the user logs out of meetup.com.

Mobile-Optimized Authorization Display

In some cases, you may want to display Meetup's authorization page in a more compact way for mobile devices or a JavaScript popup window. For these cases just append the query parameter set_mobile with a value of on.

User signup

Besides asking the user to log in or to authorize your application, a user may be asked to create an account if they are not already a member. If they choose to do so through they are sent an email verification link which. Once verified, if you are using the server flow, Meetup will redirect the user to your application with the user granted authorization.

If you are implementing an implicit client, you should be aware of this in your design. Typically these clients will open a popup window to display the Meetup login and authorization forms. If the user chooses to create an account through Meetup, after the verification step, the user will only be sent to meetup.com and not redirected to your app which, by that time will most likely have lost the local state need to handle in the incoming request in a new window.

Member registration as part of an OAuth flow can be helpful if the member wishing to log into your application is not a member on Meetup. It can also add complexity. Applications may opt out of registration by providing an additional parameter named suppress, who's value is set to reg. This will have the effect of suppressing a link to register for a new Meetup account if your application user is not already a member on Meetup. You should be clear in any of your application's interstitial views prior to redirecting your user to Meetup that your application requires an account on meetup.com.

Permission Scopes

OAuth 2 introduces the concept of access scopes which further restrict access of a consumer to a Meetup user's data. All o-authorized clients and API keys are implicitly provided the basic scope. We offer an additional scope, messaging, which enables Members and Organizers to send messages, preferences permitting, to one another. This feature is available for both OAuth 1.0a and OAuth 2 clients but not API key-based authentication.

To request this additional scope, pass a value of one or more scope names using + space encoding in the scope request parameter to the end point for obtaining a request token in OAuth 1.0a, https://api.meetup.com/oauth/request/, and the endpoint for obtaining authorization in OAuth 2, https://secure.meetup.com/oauth2/authorize.

Below is a table of the available Meetup API scopes names an their associated permissions.

scopepermission
agelessReplaces the one hour expiry time from oauth2 tokens with a limit of up to two weeks
basicAccess to Meetup group info, Everywhere API, creating and editing Events and RSVP's, posting photos
group_editAllows the authorized application to edit groups you organize on your behalf
messagingEnables Member to Member messaging (this is now deprecated)
reportingAllows the authorized application to block and unblock other members and submit abuse reports on your behalf

Note, when making a request you should be able to see which scopes have been enabled and are required using in the following headers

X-OAuth-Scopes: basic, messaging
X-Accepted-OAuth-Scopes: basic, messaging

You should also be able to see which scopes are required in the method documentation.

Additional OAuth 2 Notes

At this time, there is a proposal for access tokens to be associated with a token_type which determines how authenticated requests provide the access_token parameter. The two which are documented are bearer and mac, both of which are still both in early draft phases of specification. In the future, the Meetup API may require either of these in place of simply appending the access_token to a request. Application developers should be aware of this and plan accordingly.

OAuth 1.0a Authentication

The Meetup API supports authentication of third-party applications using the OAuth protocol. This allows your application to access a user's data and RSVP to events on behalf of the user (after they have explicitly granted permission). If you would like to set up an OAuth consumer to use for your application, you can create one here. The procedure to making requests with OAuth is as follows:

  • Fetch a request token, by using the request token URL: https://api.meetup.com/oauth/request/ signed with your consumer credentials. You must include an oauth_callback parameter. Set it to URL that the user will be redirected to after authorizing the application, or oob for out-of-band authentication. The response will include a key and secret for a request token.
  • Redirect the user to the authorization url:
    https://secure.meetup.com/authorize/?oauth_token=request_token_key.
  • After authorizing, the user is redirected to your callback url with the oauth_token and an oauth_verifier parameter that your application will need acquire an access token. For out-of-band authorization, the verifier is displayed as a "pin" for the user to enter into your application.
  • Fetch an access token using the access token URL: https://api.meetup.com/oauth/access/. If the user has chosen to allow the application and a correct oauth_verifier parameter is supplied, the request will return an access token key and secret which can be used for subsequent requests.
  • Make API calls as normal - but with the necessary OAuth parameters or headers added to the request. Meetup users can see a list of applications they've authorized in their account settings page, and choose to remove an application. After a user chooses to remove an application, the access token will expire and any requests made with the token will fail. The user will need to re-authorize the application in order to allow access to continue with a new token.

Signatures are used to ensure the identity of the consumer application. Currently, the Meetup implementation of OAuth supports plaintext and HMAC_SHA1 as signature methods. For the URL portion of the signature base string, use the following values:

EndpointURL
Request Tokenshttps://api.meetup.com/oauth/request/
Access Tokenshttps://api.meetup.com/oauth/access/
Protected Resources (API endpoints)https://api.meetup.com/
For complete details on how to form signatures for OAuth requests, refer to the OAuth specification details.

OAuth Authentication

Endpoint: https://secure.meetup.com/authenticate/?oauth_token=request_token_key

In addition to the standard OAuth 1.0a authorization flow, we support an authentication endpoint for sites that wish to use Meetup to sign in users. Under certain conditions this endpoint will immediately redirect back to the callback URL:

  • The user is already logged in to Meetup, and
  • The user has already authorized your application and that authorization has not been revoked, and
  • The provided request token is valid

When these conditions are not satisfied the authentication endpoint behaves the same as the authorization endpoint, sending the user to the sign in or authorization page as appropriate.

API Request Signing

OAuth requests must also satisfy the following requirements:

  • Include a timestamp (oauth_timestamp) which must match to within a 5 minute window of the server time, expressed in the number of seconds since January 1, 1970 00:00:00 GMT.
  • Include a nonce (oauth_nonce) which is a unique, randomly generated number that is specific to this request.
  • Include the consumer key (oauth_consumer_key) which is used to identify the application making the request.
  • Include the signature method (oauth_signature_method) and signature (oauth_signature) which are cryptographically generated digests of the resource URL, the parameters, the consumer secret, and the nonce + timestamp values.
If any of these components are missing or invalid, the OAuth request will be rejected with an error. The tedious part of assembling these parameters is easily addressed by using an OAuth client library or one the community-developed Meetup API client libraries, which bundle support for things like authenticating requests.

API Keys

This is the easist method to get started using the API. Simply access you API Key and append it to any request. The request's authorization will be based on the owner's key.

API Key signatures

Similar to OAuth signing, this method of authentication certifies that a request was approved by a particular user. Unlike OAuth-signed requests, key-signed requests may be reused and recycled as long as their corresponding API key is valid. If a signed URL is released to the public, any application can use it to interact with Meetup as if it had that API key; the difference is that it can not change definitive parameters or use the signature against other API methods.

Because requests are signed with an API key as well as a Meetup private key, it is not possible for applications to sign them independently. Instead they pass a "sign=true" parameter along with a standard read request authorized by an API key. This causes a "signed_url" field to be returned in the response metadata. OAuth requests may not be signed with an API key, as this would allow a consumer to continue act on behalf of a user even if its access token is revoked.

URL: any read method
Formats: json, xml

Parameters: all of the required parameters for the standard request must be supplied, as well as the following:

  • sign Set to "true"
  • key API key authentication is required.

Variable Parameters: Certain parameters are excluded from the URL signature calculation so that they may be updated to recycle the request.

  • offset Paging through long responses.
  • format Change the response format to xml or json.
  • callback Specify a JavaScript callback to handle the results.

Response Data

Along with the normal results and metadata, a "signed_url" is returned that can be used to repeat the request. In JSON it is in the "meta" object, in XML the "head" element.

  • signed_url Full signed url, may include default values for parameters not specified in the original request. Parameters may be reordered when reusing but only the value of the "variable parameters" may be altered.
Examples:

Get the upcoming NY Tech Meetups.

https://api.meetup.com/2/events?key=ABDE12456AB2324445&group_urlname=ny-tech&sign=true

The returned "signed_url" field to be published and reused.

https://api.meetup.com/2/events/?radius=25.0&order=time&group_urlname=ny-tech&offset=0&format=json&page=20&sig_id=123456780&sig=xxxxxx