# Using Xena Api with OAuth

## Using Xena API

The basic flow looks like this:

![Flow](/files/-LrxRrVf2YD-ROtRIBZB)

1. The user enters your app.
2. The user encounters a place in your application where he wants to use Xena API.
3. He will be forced to login into the Xena.
4. After successful login, he will be transferred back to your app with tokens.
5. Your app can communicate with the Xena API by passing the user access\_token.

> See our [github samples here](https://github.com/EG-BRS/Identity.Server.Sample.Dotnet).\
> For more see [Identity Server sample clients](https://github.com/IdentityServer/IdentityServer4/tree/master/samples/Clients/src).

## Creation

Firstly your app needs to be registered in Xena&#x20;

Then open the app and go to tab 'OAuth'.

Click on the link to Connect, and create a new client:

<figure><img src="/files/F7HQwyM1EljaaTkbSDdx" alt=""><figcaption></figcaption></figure>

> You won't be able to change the grant type later

**Client Id** - Unchangeable id that your app will be recognized in Xena (whole string with .xena.biz).\
**Name** - Your app name that will be shown to the user in the consent screen.\
**Client Uri** - link to your terms of service and privacy policy during user login.

Settings:

* Enabled - you can enable/disable your connection with the app.
* Browser access - allows obtaining the access\_token through front channel communication.
* Off-line access - Used in hybrid flow to obtain refresh\_token that can be exchanged for access\_token without user interaction.

Supported grant types:

* Implicit - mainly for browser-based applications.
* Hybrid - for applications with backend where the server will communicate with the Xena API.

### Configuration

After the client creation, you will be transferred to the edit window with a few new settings:

<figure><img src="/files/gMkcOzUOAAqtDOHoHB9Q" alt=""><figcaption></figcaption></figure>

* Scopes - Available scopes for your app. The **testapi** scope is required for [**Xena API**](/xena-developer/development/get-started/the-xena-api.md) communication.
* RedirectUri - The uri of your oidc login endpoint. These **must match** in client and configuration. (For ASP default path is yourapp.com/signin-oidc)
* Post Logout Redirect Uri - After the user logs out, he will be transferred back to your app. (For ASP default path is yourapp.com/signout-callback-oidc)
* Secrets - auto-generated secret for your app (hybrid flow)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev.xena.biz/xena-developer/development/get-started/xena-api-using-oauth.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.