Most Meetup API endpoints require member authentication to protect access to privacy and to personalize responses.
The Meetup API provides support for OAuth 2. We require HTTPS for all API access. If your application does not use HTTPS, our servers will respond with a 400 error and a message asking you to do so.
We provide implementations of both the server and implicit protocol flows. We provide the following endpoints for both where necessary.
Endpoint | URL |
---|---|
Authorization | https://secure.meetup.com/oauth2/authorize |
Access Tokens | https://secure.meetup.com/oauth2/access |
Before you can use OAuth 2 for user authorization, you need to either register a new OAuth consumer or add a redirect_uri
to your existing consumer by clicking the edit link next to you consumer's listing. The redirect_uri
you register for a given client will be used to validate future oauth2 requests.
This uri is used as a basis for validating the address authorization requests will redirect a member to after granting or denying access to your app.
If provided, the redirect URL's host and port must exactly match the callback URL. The redirect URL's path must reference a subdirectory of the callback URL.
CALLBACK: http://example.com/path GOOD: http://example.com/path GOOD: http://example.com/path/subdir/other BAD: http://example.com/bar BAD: http://example.com/ BAD: http://example.com:8080/path BAD: http://oauth.example.com:8080/path BAD: http://example.org
This flow is suitable for applications that are capable of securely storing consumer secrets.
Redirect your user to the following URL in a browser:
https://secure.meetup.com/oauth2/authorize ?client_id=YOUR_CONSUMER_KEY &response_type=code &redirect_uri=YOUR_CONSUMER_REDIRECT_URI
The redirect_uri
used here may vary but must start with the same redirect_uri
you have registered with your consumer.
Meetup will ask the user to login if they are not already logged in. If the user has previously authorized access for the provided client_id
, Meetup will immediately redirect the user back to the redirect_uri
with success query parameters. If the authenticated user has not previously authorized the provided client or has revoked its access, Meetup will prompt them to authorize your application. Afterwords, Meetup will redirect the user back to the provided redirect_uri
along with their response.
A successful authorization will contain these query parameters:
Parameter | Description |
---|---|
code | A string that can only be used once to request an access token |
state | An opaque string that you may provide in the initial request |
A failed authorization will contain an optional state
parameter as mentioned above as well as an error
query parameter with one of the following values
Error | Reason |
---|---|
invalid_request | The request was malformed or missing parameters |
unauthorized_client | The client is not authorized |
access_denied | The user denied the request for authorization |
unsupported_response_type | Meetup doesn't support the provided response_type |
4xx or 5xx | The HTTP status code of any other error |
Have your server make an HTTP application/x-www-form-urlencoded
encoded POST request for an access token with the following format:
https://secure.meetup.com/oauth2/accesswith the body of the request being (line breaks are for readability)
client_id=YOUR_CONSUMER_KEY &client_secret=YOUR_CONSUMER_SECRET &grant_type=authorization_code &redirect_uri=SAME_REDIRECT_URI_USED_FOR_PREVIOUS_STEP &code=CODE_YOU_RECEIVED_FROM_THE_AUTHORIZATION_RESPONSE
The important parameter to note is grant_type
which should be set to authorization_code
. The redirect_uri
used in this step must be the same redirect_uri
used in the previous step.
We also support the usage of query string parameters for this method.
A successful response will contain the following data in application/json
format
{ "access_token":"ACCESS_TOKEN_TO_STORE", "token_type":"bearer", "expires_in":3600, "refresh_token":"TOKEN_USED_TO_REFRESH_AUTHORIZATION" }
A failure response will contain an application/json
encoded string with an error property containing one of the following values
Error | Reason |
---|---|
invalid_request | The request was malformed or missing parameters |
invalid_client | Client authentication failed |
unauthorized_client | The provided client was not authorized to use this grant type |
invalid_grant | The provided code was invalid |
unsupported_grant_type | Meetup does not support the provided grant type |
See the making authenticated requests section below
This is currently only available to Meetup Pro users
Use this flow when you want to write a program that uses the Meetup API using your own user credentials.
To use this flow, your application should be capable of securely storing consumer secrets and the username and password and must make all requests using HTTPS. Additionally, all requests should include Accept: application/json
in the header.
Make an authorization request to the following URL
https://secure.meetup.com/oauth2/authorize ?client_id=YOUR_CONSUMER_KEY &redirect_uri=YOUR_CONSUMER_REDIRECT_URI &response_type=anonymous_code
The important parameter to note is response_type
which should be set to anonymous_code
.
A successful response will contain the following data in application/json
format
{ "code": "SINGLE_USE_AUTHORIZATION_CODE" }
Have your server make a POST request for an access token with the following format:
https://secure.meetup.com/oauth2/access? client_id=YOUR_CONSUMER_KEY &client_secret=YOUR_CONSUMER_SECRET &grant_type=anonymous_code &redirect_uri=SAME_REDIRECT_URI_USED_FOR_PREVIOUS_STEP &code=CODE_YOU_RECEIVED_FROM_THE_AUTHORIZATION_RESPONSE
The important parameter to note is grant_type
which should be set to anonymous_code
.
A successful response will contain the following data in application/json
format
{ "access_token":"ACCESS_TOKEN_TO_STORE", "refresh_token":"TOKEN_USED_TO_REFRESH_AUTHORIZATION" "member":{ ... } "token_type":"bearer", "expires_in":3600, }
Have your server make a POST request for an access token with the following URL format:
https://api.meetup.com/sessions? &email=YOUR_EMAIL &password=YOUR_PASSWORD
The request header should include Authorization: "Bearer ACCESS_TOKEN"
where the ACCESS_TOKEN
is the token you recieved from the previous step. The email and password should be the one used to signup to Meetup. This will only work for Pro customers.
A successful response will contain an oauth_token
that you can use as your access_token
to make authorized requests.
See the making authenticated requests section below
This flow is suitable for JavaScript based browser clients.
Redirect the user's browser to the following URL
https://secure.meetup.com/oauth2/authorize ?client_id=YOUR_CONSUMER_KEY &response_type=token &redirect_uri=YOUR_CONSUMER_REDIRECT_URI
This will ask the user to log in if they are not already logged in then prompt them to authorize your application.
The response parameters listed in the server flow's success (with the exception of refresh_token
) and failure access token responses will be included in the implicit authorization's client response appended as a url fragment. Because this information is encoded in a url fragment, it can only be retrieved with client-side browser scripts.
See the making authenticated requests section below
Once received, an access_token
may expire. You can refresh the access_token
at any time and without involving the user by making a token refresh request. Note, this requires client credentials which users of the implicit flow should not be storing.
To refresh an access_token
, have your server make an HTTP application/x-www-form-urlencoded
encoded POST request for an access token with the following format, this time setting grant_type
to refresh_token
.
https://secure.meetup.com/oauth2/accesswith the body of the request being (line breaks are for readability)
client_id=YOUR_CONSUMER_KEY &client_secret=YOUR_CONSUMER_SECRET &grant_type=refresh_token &refresh_token=REFRESH_TOKEN_YOU_RECEIVED_FROM_ACCESS_RESPONSE
We also support the usage of query string parameters for this flow but the request method must be POST.
A successful response will contain the following data in application/json
format
{ "access_token":"ACCESS_TOKEN_TO_STORE", "token_type": "bearer", "expires_in":3600, "refresh_token":"TOKEN_USED_TO_REFRESH_AUTHORIZATION" }
A failure response will contain an application/json
encoded string with an error property containing one of the following values
error | reason |
---|---|
invalid_request | The request was malformed or missing parameters |
invalid_client | Client authentication failed |
invalid_grant | The provided code was invalid |
unauthorized_client | The provided client was not authorized to use this grant type |
unsupported_grant_type | Meetup does not support the provided grant type |
See the making authenticated requests section below for use of your refreshed set of credentials
After successfully obtaining member authorization and an access_token you may now make authenticated API requests using HTTPS by supplying the token value in an Authorization
header prefixed with bearer
and a space.
curl -H "Authorization: Bearer {access_token}" https://api.meetup.com/members/self/
At any time, a user may choose to revoke access to your application here. This will invalidate any access credentials your application may have been provided for that user.
In order to re-obtain authorization, your application will need to re-request authorization from the user.
Access tokens received from the implicit oauth2 flow will also expire, regardless of the ageless
scope, when the user logs out of meetup.com.
In some cases, you may want to display Meetup's authorization page in a more compact way for mobile devices or
a JavaScript popup window. For these cases just append the query parameter set_mobile
with a value of on
.
Besides asking the user to log in or to authorize your application, a user may be asked to create an account if they are not already a member. If they choose to do so through they are sent an email verification link which. Once verified, if you are using the server flow, Meetup will redirect the user to your application with the user granted authorization.
If you are implementing an implicit client, you should be aware of this in your design. Typically these clients will open a popup window to display the Meetup login and authorization forms. If the user chooses to create an account through Meetup, after the verification step, the user will only be sent to meetup.com and not redirected to your app which, by that time will most likely have lost the local state need to handle in the incoming request in a new window.
Member registration as part of an OAuth flow can be helpful if the member wishing to log into your application is not a member on Meetup. It can also add complexity. Applications may opt out of registration by providing an additional parameter named suppress
, who's value is set to reg
. This will have the effect of suppressing a link to register for a new Meetup account if your application user is not already a member on Meetup. You should be clear in any of your application's interstitial views prior to redirecting your user to Meetup that your application requires an account on meetup.com.
OAuth 2 includes the concept of access scopes
which further restrict access of a consumer to a Meetup user's data. All clients are implicitly configured with the basic
scope.
To request this additional scope, pass a value of one or more scope names using +
space encoding in the scope
request parameter to the url for obtaining authorization, https://secure.meetup.com/oauth2/authorize
.
Below is a table of the available Meetup API scopes names an their associated permissions.
scope | permission |
---|---|
ageless | Replaces the one hour expiry time from oauth2 tokens with a limit of up to two weeks |
basic | Access to basic Meetup group info and creating and editing Events and RSVP's, posting photos in version 2 API's and below |
event_management | Allows the authorized application to create and make modifications to events in your Meetup groups on your behalf |
group_edit | Allows the authorized application to edit the settings of groups you organize on your behalf |
group_content_edit | Allows the authorized application to create, modify and delete group content on your behalf |
group_join | Allows the authorized application to join new Meetup groups on your behalf |
profile_edit | Allows the authorized application to edit your profile information on your behalf |
reporting | Allows the authorized application to block and unblock other members and submit abuse reports on your behalf |
rsvp | Allows the authorized application to RSVP you to events on your behalf |
Note, when making a request you should be able to see which scopes have been enabled and are required using in the following headers
X-OAuth-Scopes: basic, reporting
X-Accepted-OAuth-Scopes: basic, reporting
You should also be able to see which scopes are required in the method documentation.