Login Kit Overview

Login Kit must now be implemented directly via OAuth2, providing developers with greater flexibility in integrating Snapchat Login for their mobile and web apps. Previously, we offered Login Kit SDKs that wrapped the OAuth2 service, making it easy to add a login button, but they lacked the flexibility needed for broader integration. While these SDKs are being deprecated, the underlying OAuth2 service remains fully available for secure authentication with Snapchat accounts.

Login Kit is Snap’s implementation of the OAuth 2.0 standard, enabling seamless user authentication and identity integration. It allows your app or website to offer a "Log in with Snapchat" button, simplifying the signup and login process for your users. While Login Kit previously referred to Snap’s SDK, this page focuses on the OAuth 2.0 service that powers these features.

Login: Authenticate users quickly and securely using their Snapchat accounts.
Identity: Access optional user metadata, such as display names or Bitmoji avatars, to personalize their experience in your app.

With Login Kit, you can:

Add a “Log in with Snapchat” Button: Simplify signup and login processes for users.
Enhance User Experience: Use display names or Bitmoji avatars (optional) to provide a recognizable identity.
Authenticate Securely: Implement OAuth 2.0 flows tailored to your app’s needs—whether it’s a public client (e.g., SPAs) or a server side app.

Authorization Code Flow with PKCE (Recommended):
- Suitable for public clients like mobile apps and SPAs.
- Uses PKCE to secure the authorization process without requiring a client secret.
Server Side Authorization Code Flow:
- Recommended for server side apps that can securely store a client secret.
- Offers long-term access via refresh tokens.
Implicit Grant Flow:
- Designed for public clients like single-page applications (SPAs) where storing a client secret is not feasible.
- Provides access tokens directly in the redirect URL, minimizing the steps required for authentication but with limited security compared to other flows.

Key Endpoints

Authorization Endpoint

Direct users to Snapchat for authentication and consent.

URL:

https://accounts.snapchat.com/accounts/oauth2/auth

Required Parameters:

Parameter	Required	Description
`client_id`	Yes	Your app’s OAuth 2.0 Client ID from Snap Developer Portal.
`redirect_uri`	Yes	The URI where users are redirected after login.
`response_type`	Yes	Set to `code` for Authorization Code Flow or `token` for Implicit Grant Flow.
`scope`	Yes	Space-separated list of requested permissions (see Scopes).
`state`	Yes	Random string to protect against CSRF attacks.
`code_challenge`	Yes (PKCE)	Hashed value of `code_verifier` for PKCE.
`code_challenge_method`	Yes (PKCE)	Use `S256` for PKCE.

Token Endpoint

Exchange authorization codes for access and refresh tokens.

URL:

https://accounts.snapchat.com/accounts/oauth2/token

Required Parameters:

Parameter	Required	Description
`client_id`	Yes	Your app’s OAuth 2.0 Client ID from Snap Developer Portal.
`redirect_uri`	Yes	Must match the URI used in the authorization request.
`grant_type`	Yes	Use `authorization_code` for code exchange or `refresh_token` for token refresh.
`code`	Yes (Code Exchange)	Authorization code received from the authorization endpoint.
`code_verifier`	Yes (PKCE)	Original string used to generate the `code_challenge`.
`client_secret`	Yes (Server Side)	Required for confidential clients during token exchange or refresh.

Scopes

Scopes define the permissions your app requests during user authentication. Some scopes can be toggled in the app version settings within the Snap Developer Portal, while others are always available or conditionally enabled (e.g., for apps with Camera Kit). The following scopes are available:

Scope	Description	Toggleable by User
`https://auth.snapchat.com/oauth2/api/user.display_name`	Grants access to the user’s display name.	No
`https://auth.snapchat.com/oauth2/api/user.external_id`	Grants access to a unique app-specific user ID.	No
`https://auth.snapchat.com/oauth2/api/user.bitmoji.avatar`	Grants access to the user’s Bitmoji avatar.	Yes
`https://auth.snapchat.com/oauth2/api/camkit_lens_push_to_device`	Enables Lens Push-to-Device for Camera Kit-enabled apps.	No (Available with Camera Kit)

The https://auth.snapchat.com/oauth2/api/camkit_lens_push_to_device scope is automatically available to apps with Camera Kit enabled. It cannot be toggled by users directly.

Example Scope List:

"scopeList": [
  "https://auth.snapchat.com/oauth2/api/user.display_name",
  "https://auth.snapchat.com/oauth2/api/user.bitmoji.avatar"
]

Integration Options

Client-Side Integration (PKCE)

Use Case: Public clients (e.g., SPAs, mobile apps) that cannot securely store a client secret.
Security: PKCE replaces the need for a client secret, ensuring secure token exchange.

Step 1: Authorization Request

Redirect the user to Snapchat's Authorization Endpoint with the required parameters.

Example Request:

GET https://accounts.snapchat.com/accounts/oauth2/auth
?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&scope=https%3A%2F%2Fauth.snapchat.com%2Foauth2%2Fapi%2Fuser.display_name
%20https%3A%2F%2Fauth.snapchat.com%2Foauth2%2Fapi%2Fuser.bitmoji.avatar
&state=RANDOM_STRING
&code_challenge=HASHED_CODE_VERIFIER
&code_challenge_method=S256

Step 2: Token Exchange

Once the user authorizes your app, Snapchat will redirect them back to the redirect_uri you specified, appending an authorization code and other parameters as query string values. This authorization code expires after 10 minutes. Use this code to request an access token.

Example Redirect URL:

https://your-app.com/callback?code=AUTHORIZATION_CODE&state=STATE_VALUE

Query Parameters:

code: The authorization code provided by Snapchat. Use this code to exchange for an access token.
state: The state value you originally included in the authorization request, which should be validated to prevent CSRF attacks.

Example Request:

POST https://accounts.snapchat.com/accounts/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
code=AUTHORIZATION_CODE
redirect_uri=YOUR_REDIRECT_URI
client_id=YOUR_CLIENT_ID
code_verifier=ORIGINAL_CODE_VERIFIER

Response:

{
  "access_token": "NEW_ACCESS_TOKEN",
  "expires_in": 3600,
  "refresh_token": "NEW_REFRESH_TOKEN",
  "scope": "https://auth.snapchat.com/oauth2/api/user",
  "token_type": "Bearer"
}

Step 3: Refreshing the Access Token

Access tokens expire after 1 hour. When the access token expires, use the refresh token to obtain a new one without requiring the user to log in again.

Example Request:

POST https://accounts.snapchat.com/accounts/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
refresh_token=YOUR_REFRESH_TOKEN
client_id=YOUR_CLIENT_ID

Response:

{
  "access_token": "NEW_ACCESS_TOKEN",
  "expires_in": 3600,
  "refresh_token": "NEW_REFRESH_TOKEN",
  "scope": "https://auth.snapchat.com/oauth2/api/user",
  "token_type": "Bearer"
}

Server-Side Integration

Use Case: Applications with secure backends that can store a client secret.
Security: Combines PKCE and client_secret for maximum security.

Step 1: Authorization Request

Redirect the user to Snapchat's Authorization Endpoint with the required parameters.

Example Request:

GET https://accounts.snapchat.com/accounts/oauth2/auth
?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&scope=https%3A%2F%2Fauth.snapchat.com%2Foauth2%2Fapi%2Fuser.display_name
%20https%3A%2F%2Fauth.snapchat.com%2Foauth2%2Fapi%2Fuser.bitmoji.avatar
&state=RANDOM_STRING
&code_challenge=HASHED_CODE_VERIFIER
&code_challenge_method=S256

Step 2: Token Exchange

Exchange the authorization code for access and refresh tokens. Include the client_secret for server-side validation. This authorization code expires after 10 minutes of grant.

Example Request:

POST https://accounts.snapchat.com/accounts/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
code=AUTHORIZATION_CODE
redirect_uri=YOUR_REDIRECT_URI
client_id=YOUR_CLIENT_ID
client_secret=YOUR_CLIENT_SECRET
code_verifier=ORIGINAL_CODE_VERIFIER

Step 3: Refreshing the Access Token

Access tokens expire after 1 hour. When the access token expires, use the refresh token to obtain a new one without requiring the user to log in again.

Example Request:

POST https://accounts.snapchat.com/accounts/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
refresh_token=YOUR_REFRESH_TOKEN
client_id=YOUR_CLIENT_ID

Client-Side Integration (Implicit Grant Flow)

Use Case: Applications that need temporary access tokens for short-lived operations and do not require token refresh. Common for single-page applications (SPAs) that cannot securely store secrets or refresh tokens.
Security: Since tokens are exposed directly in the browser, the implicit Grant flow is less secure compared to the PKCE-based flow. Use only if PKCE or server-side integrations are not feasible.

How It Works

Authorization Request:
- Redirect the user to Snapchat's Authorization Endpoint with response_type=token.
- The access token is returned directly in the URL fragment (#) of the redirect URI.
Access Token Usage:
- Extract the access token from the URL and use it to access the requested resources.
No Refresh:
- Once the token expires, the user must authenticate again to obtain a new access token.

Step 1: Authorization Request

Redirect the user to the Authorization Endpoint. Example:

GET https://accounts.snapchat.com/accounts/oauth2/auth
?response_type=token
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&scope=https%3A%2F%2Fauth.snapchat.com%2Foauth2%2Fapi%2Fuser.display_name
%20https%3A%2F%2Fauth.snapchat.com%2Foauth2%2Fapi%2Fuser.bitmoji.avatar
&state=RANDOM_STRING

Step 2: Extracting the Access Token

After the user authorizes your app, Snapchat redirects them to the specified redirect_uri with the access token in the URL fragment (#).

Example Redirect URI:

https://your-app.com/callback#access_token=ACCESS_TOKEN&token_type=Bearer&expires_in=3600&state=RANDOM_STRING

Your app must:

Parse the access_token and expires_in values from the fragment.
Use the access token to make API calls to Snapchat.

Security Considerations

The Implicit Grant Flow exposes the access token in the URL, making it susceptible to interception (e.g., via browser history or logging tools). Use this flow only if:

Your app cannot securely store secrets.
The access token has a short expiration time.
You implement additional security measures (e.g., HTTPS, token expiration checks).

Error Handling

Common Errors

Error Code	Description
`invalid_request`	Missing or invalid parameter.
`unauthorized_client`	The client is not allowed to use this flow.
`invalid_grant`	Expired or already-used authorization code.
`access_denied`	User denied the request.

Best Practices

Validate tokens on every request.
Handle token expiration by refreshing access tokens securely.
Use the state parameter to prevent CSRF.

Best Practices for Secure Integration

Use PKCE: Always implement PKCE for public clients.
Secure Secrets: Keep client_secret in server side environments only.
Rotate Tokens: Regularly refresh access tokens and store them securely.
Handle Revocations: Implement user-friendly UI for revoking access when needed.

PKCE (Proof Key for Code Exchange)

PKCE (pronounced “pixie”) enhances the security of OAuth 2.0 flows for public clients, such as mobile apps and single-page applications (SPAs), by mitigating the risk of authorization code interception.

Why PKCE?

OAuth 2.0 authorization codes are often exchanged in client-side flows, where malicious actors might intercept them. PKCE prevents this by requiring a code verifier (a random secret) and a derived code challenge to validate the token exchange.

How PKCE Works

Generate a Code Verifier:
- A random string (between 43-128 characters) created at the start of the authorization request.
Derive a Code Challenge:
- A secure, SHA256 hash of the code verifier encoded in base64 URL format.
Authorization Request:
- The app sends the code challenge and other OAuth parameters to Snapchat’s authorization endpoint.
Token Request:
- The app sends the original code verifier during the token exchange, proving possession of the secret.
Validation:
- The server validates that the code verifier matches the previously sent code challenge.

Learn More About PKCE

For an in-depth explanation and additional examples, refer to these trusted resources:

Was this page helpful?

Yes

What You Can Do with Login Kit​

How Login Kit Works​

Key Endpoints​

Authorization Endpoint​

Token Endpoint​

Scopes​

Integration Options​

Client-Side Integration (PKCE)​

Step 1: Authorization Request​

Step 2: Token Exchange​

Step 3: Refreshing the Access Token​

Server-Side Integration​

Step 1: Authorization Request​

Step 2: Token Exchange​

Step 3: Refreshing the Access Token​

Client-Side Integration (Implicit Grant Flow)​

How It Works​

Step 1: Authorization Request​

Step 2: Extracting the Access Token​

Security Considerations​

Error Handling​

Common Errors​

Best Practices​

Best Practices for Secure Integration​

PKCE (Proof Key for Code Exchange)​

Why PKCE?​

How PKCE Works​

Learn More About PKCE​

What You Can Do with Login Kit

How Login Kit Works

Key Endpoints

Authorization Endpoint

Token Endpoint

Scopes

Integration Options

Client-Side Integration (PKCE)

Step 1: Authorization Request

Step 2: Token Exchange

Step 3: Refreshing the Access Token

Server-Side Integration

Step 1: Authorization Request

Step 2: Token Exchange

Step 3: Refreshing the Access Token

Client-Side Integration (Implicit Grant Flow)

How It Works

Step 1: Authorization Request

Step 2: Extracting the Access Token

Security Considerations

Error Handling

Common Errors

Best Practices

Best Practices for Secure Integration

PKCE (Proof Key for Code Exchange)

Why PKCE?

How PKCE Works

Learn More About PKCE