IMPORTANT! OAuth1 has been deprecated to access the Mendeley API. Current applications using OAuth1 can continue to use it but they will have to migrate to OAuth2 by April 14, 2014.
The OpenAPI uses OAuth2 for authentication. Developers must register their application with us before they're able to make use of the API.
To register your OAuth2 application, please send us an email to firstname.lastname@example.org, providing the following information:
We'll confirm in an email the new credentials. Once that's done, you'll be ready to go!
Things to bear in mind when authenticating using OAuth2:
Mendeley provides two ways of authentication: for applications accessing resources that require the user's authorization and for applications accessing public data that belongs to Mendeley.
These two flows are known in OAuth2 as Authorization Code and Client Credentials flows.
This flow is used for server-side web applications. This flow starts in the user's browser.
Your application will have to send the user to Mendeley's Authorize page to obtain the user's authorization:
You will need to specify the following parameters with the link:
If the request is successful, Mendeley will redirect the user back to your application at the URL specified in redirect_uri. A query parameter code will be included in the redirect.
The application needs to then exchange the code for an OAuth access token to make API requests. If you are using a library, this step will typically happen automatically.
You will need to specify the following parameters in the request:
This request needs to be authenticated with the credentials provided at the moment of registration.
If the request succeeds, Mendeley will issue and return an OAuth access token in a JSON response with the following values:
When the access token is about to expire, it's good to refresh your token before it does to avoid waiting for the API to reject your request because of the invalid token.
To refresh an access token you can do another POST request to the token endpoint specifying refresh_token as the grant_type.
This request must also be authenticated with client_id and client_secret.
After obtaining the access token, this can be sent along in a few ways:
1. Using the Authorization header (preferred):
The Authorization header presents a few advantages: it is rarely logged by proxy server and access logs, is almost never cached and it doesn't get stored in the browser cache when making requests from the client. However including it as a URL query parameter is useful for debugging since adding the header might be a bit more difficult.
Accessing the data the public resources of the Mendeley API provide doesn't require user authorization, however, applications still need to be authenticated in our servers.
For this, just like in the Authorization Code flow step 2, you can request the "anonymous" access token for the application as follows:
You will still need to authenticate the request with client_id and client_secret, as well as providing the grant_type as "client_credentials".