addressalign-toparrow-leftarrow-leftarrow-right-10x10arrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscontroller-playcredit-cardcrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobe--smallglobegmailgooglegroupshelp-with-circleimageimagesinstagramFill 1languagelaunch-new-window--smalllight-bulblinklocation-pinlockm-swarmSearchmailmediummessagesminusmobilemoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonprintShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruserwarningyahooyoutube

Authenticating Requests

Most Meetup API endpoints require member authentication to protect access to privacy and to personalize responses.

Using OAuth 2

The Meetup API provides support for OAuth 2. We require HTTPS for all API access. If your application does not use HTTPS, our servers will respond with a 400 error and a message asking you to do so.

We provide implementations of both the server and implicit protocol flows. We provide the following endpoints for both where necessary.

EndpointURL
Authorizationhttps://secure.meetup.com/oauth2/authorize
Access Tokenshttps://secure.meetup.com/oauth2/access

Redirect URIs

Before you can use OAuth 2 for user authorization, you need to either register a new OAuth consumer or add a redirect_uri to your existing consumer by clicking the edit link next to you consumer's listing. The redirect_uri you register for a given client will be used to validate future oauth2 requests.

This uri is used as a basis for validating the address authorization requests will redirect a member to after granting or denying access to your app.

If provided, the redirect URL's host and port must exactly match the callback URL. The redirect URL's path must reference a subdirectory of the callback URL.

CALLBACK: http://example.com/path

GOOD: http://example.com/path
GOOD: http://example.com/path/subdir/other
BAD:  http://example.com/bar
BAD:  http://example.com/
BAD:  http://example.com:8080/path
BAD:  http://oauth.example.com:8080/path
BAD:  http://example.org
      

Server Flow

This flow is suitable for applications that are capable of securely storing consumer secrets.

Requesting Authorization

Redirect your user to the following URL in a browser:

https://secure.meetup.com/oauth2/authorize
  ?client_id=YOUR_CONSUMER_KEY
  &response_type=code
  &redirect_uri=YOUR_CONSUMER_REDIRECT_URI

The redirect_uri used here may vary but must start with the same redirect_uri you have registered with your consumer.

Meetup will ask the user to login if they are not already logged in. If the user has previously authorized access for the provided client_id, Meetup will immediately redirect the user back to the redirect_uri with success query parameters. If the authenticated user has not previously authorized the provided client or has revoked its access, Meetup will prompt them to authorize your application. Afterwords, Meetup will redirect the user back to the provided redirect_uri along with their response.

A successful authorization will contain these query parameters:

ParameterDescription
codeA string that can only be used once to request an access token
stateAn opaque string that you may provide in the initial request

A failed authorization will contain an optional state parameter as mentioned above as well as an error query parameter with one of the following values

ErrorReason
invalid_requestThe request was malformed or missing parameters
unauthorized_clientThe client is not authorized
access_deniedThe user denied the request for authorization
unsupported_response_typeMeetup doesn't support the provided response_type
4xx or 5xxThe HTTP status code of any other error

Requesting Access Token

Have your server make an HTTP application/x-www-form-urlencoded encoded POST request for an access token with the following format:

https://secure.meetup.com/oauth2/access
with the body of the request being (line breaks are for readability)
client_id=YOUR_CONSUMER_KEY
&client_secret=YOUR_CONSUMER_SECRET
&grant_type=authorization_code
&redirect_uri=SAME_REDIRECT_URI_USED_FOR_PREVIOUS_STEP
&code=CODE_YOU_RECEIVED_FROM_THE_AUTHORIZATION_RESPONSE

The important parameter to note is grant_type which should be set to authorization_code. The redirect_uri used in this step must be the same redirect_uri used in the previous step.

We also support the usage of query string parameters for this method.

A successful response will contain the following data in application/json format

{
  "access_token":"ACCESS_TOKEN_TO_STORE",
  "token_type":"bearer",
  "expires_in":3600,
  "refresh_token":"TOKEN_USED_TO_REFRESH_AUTHORIZATION"
}

A failure response will contain an application/json encoded string with an error property containing one of the following values

ErrorReason
invalid_requestThe request was malformed or missing parameters
invalid_clientClient authentication failed
unauthorized_clientThe provided client was not authorized to use this grant type
invalid_grantThe provided code was invalid
unsupported_grant_typeMeetup does not support the provided grant type

Make authenticated requests

See the making authenticated requests section below

Server Flow with User Credentials

This is currently only available to Meetup Pro users

Use this flow when you want to write a program that uses the Meetup API using your own user credentials.

To use this flow, your application should be capable of securely storing consumer secrets and the username and password and must make all requests using HTTPS. Additionally, all requests should include Accept: application/json in the header.

Requesting Authorization

Make an authorization request to the following URL

https://secure.meetup.com/oauth2/authorize
  ?client_id=YOUR_CONSUMER_KEY
  &redirect_uri=YOUR_CONSUMER_REDIRECT_URI
  &response_type=anonymous_code

The important parameter to note is response_type which should be set to anonymous_code.

A successful response will contain the following data in application/json format

{
  "code": "SINGLE_USE_AUTHORIZATION_CODE"
}

Requesting Access Token

Have your server make a POST request for an access token with the following format:

https://secure.meetup.com/oauth2/access?
  client_id=YOUR_CONSUMER_KEY
  &client_secret=YOUR_CONSUMER_SECRET
  &grant_type=anonymous_code
  &redirect_uri=SAME_REDIRECT_URI_USED_FOR_PREVIOUS_STEP
  &code=CODE_YOU_RECEIVED_FROM_THE_AUTHORIZATION_RESPONSE

The important parameter to note is grant_type which should be set to anonymous_code.

A successful response will contain the following data in application/json format

{
  "access_token":"ACCESS_TOKEN_TO_STORE",
  "refresh_token":"TOKEN_USED_TO_REFRESH_AUTHORIZATION"
  "member":{
    ...
  }
  "token_type":"bearer",
  "expires_in":3600,
}

Request Access Token Using Your Credentials

Have your server make a POST request for an access token with the following URL format:

https://api.meetup.com/sessions?
  &email=YOUR_EMAIL
  &password=YOUR_PASSWORD

The request header should include Authorization: "Bearer ACCESS_TOKEN" where the ACCESS_TOKEN is the token you recieved from the previous step. The email and password should be the one used to signup to Meetup. This will only work for Pro customers.

A successful response will contain an oauth_token that you can use as your access_token to make authorized requests.

Make authenticated requests

See the making authenticated requests section below

Implicit Flow

This flow is suitable for JavaScript based browser clients.

Requesting Authorization and Receiving Access Token

Redirect the user's browser to the following URL

https://secure.meetup.com/oauth2/authorize
  ?client_id=YOUR_CONSUMER_KEY
  &response_type=token
  &redirect_uri=YOUR_CONSUMER_REDIRECT_URI

This will ask the user to log in if they are not already logged in then prompt them to authorize your application.

The response parameters listed in the server flow's success (with the exception of refresh_token) and failure access token responses will be included in the implicit authorization's client response appended as a url fragment. Because this information is encoded in a url fragment, it can only be retrieved with client-side browser scripts.

Make authenticated requests

See the making authenticated requests section below

Refreshing Your Access Token

Once received, an access_token may expire. You can refresh the access_token at any time and without involving the user by making a token refresh request. Note, this requires client credentials which users of the implicit flow should not be storing.

Refreshing Token

To refresh an access_token, have your server make an HTTP application/x-www-form-urlencoded encoded POST request for an access token with the following format, this time setting grant_type to refresh_token.

https://secure.meetup.com/oauth2/access
with the body of the request being (line breaks are for readability)
client_id=YOUR_CONSUMER_KEY
  &client_secret=YOUR_CONSUMER_SECRET
  &grant_type=refresh_token
  &refresh_token=REFRESH_TOKEN_YOU_RECEIVED_FROM_ACCESS_RESPONSE

We also support the usage of query string parameters for this flow but the request method must be POST.

A successful response will contain the following data in application/json format

{
  "access_token":"ACCESS_TOKEN_TO_STORE",
  "token_type": "bearer",
  "expires_in":3600,
  "refresh_token":"TOKEN_USED_TO_REFRESH_AUTHORIZATION"
}

A failure response will contain an application/json encoded string with an error property containing one of the following values

errorreason
invalid_requestThe request was malformed or missing parameters
invalid_clientClient authentication failed
invalid_grantThe provided code was invalid
unauthorized_clientThe provided client was not authorized to use this grant type
unsupported_grant_typeMeetup does not support the provided grant type

Make authenticated requests

See the making authenticated requests section below for use of your refreshed set of credentials

Making Authenticated Requests

After successfully obtaining member authorization and an access_token you may now make authenticated API requests using HTTPS by supplying the token value in an Authorization header prefixed with bearer and a space.

curl -H "Authorization: Bearer {access_token}" https://api.meetup.com/members/self/

User Deauthorization

At any time, a user may choose to revoke access to your application here. This will invalidate any access credentials your application may have been provided for that user.

In order to re-obtain authorization, your application will need to re-request authorization from the user.

Access tokens received from the implicit oauth2 flow will also expire, regardless of the ageless scope, when the user logs out of meetup.com.

Mobile-Optimized Authorization Display

In some cases, you may want to display Meetup's authorization page in a more compact way for mobile devices or a JavaScript popup window. For these cases just append the query parameter set_mobile with a value of on.

User signup

Besides asking the user to log in or to authorize your application, a user may be asked to create an account if they are not already a member. If they choose to do so through they are sent an email verification link which. Once verified, if you are using the server flow, Meetup will redirect the user to your application with the user granted authorization.

If you are implementing an implicit client, you should be aware of this in your design. Typically these clients will open a popup window to display the Meetup login and authorization forms. If the user chooses to create an account through Meetup, after the verification step, the user will only be sent to meetup.com and not redirected to your app which, by that time will most likely have lost the local state need to handle in the incoming request in a new window.

Member registration as part of an OAuth flow can be helpful if the member wishing to log into your application is not a member on Meetup. It can also add complexity. Applications may opt out of registration by providing an additional parameter named suppress, who's value is set to reg. This will have the effect of suppressing a link to register for a new Meetup account if your application user is not already a member on Meetup. You should be clear in any of your application's interstitial views prior to redirecting your user to Meetup that your application requires an account on meetup.com.

Permission Scopes

OAuth 2 includes the concept of access scopes which further restrict access of a consumer to a Meetup user's data. All clients are implicitly configured with the basic scope.

To request this additional scope, pass a value of one or more scope names using + space encoding in the scope request parameter to the url for obtaining authorization, https://secure.meetup.com/oauth2/authorize.

Below is a table of the available Meetup API scopes names an their associated permissions.

scopepermission
agelessReplaces the one hour expiry time from oauth2 tokens with a limit of up to two weeks
basicAccess to basic Meetup group info and creating and editing Events and RSVP's, posting photos in version 2 API's and below
event_management Allows the authorized application to create and make modifications to events in your Meetup groups on your behalf
group_edit Allows the authorized application to edit the settings of groups you organize on your behalf
group_content_edit Allows the authorized application to create, modify and delete group content on your behalf
group_join Allows the authorized application to join new Meetup groups on your behalf
profile_edit Allows the authorized application to edit your profile information on your behalf
reportingAllows the authorized application to block and unblock other members and submit abuse reports on your behalf
rsvpAllows the authorized application to RSVP you to events on your behalf

Note, when making a request you should be able to see which scopes have been enabled and are required using in the following headers

X-OAuth-Scopes: basic, reporting
X-Accepted-OAuth-Scopes: basic, reporting

You should also be able to see which scopes are required in the method documentation.