Most Meetup API endpoints require member authentication for context. We support four different authentication methods, suggested for different kinds of applications:
for apps that carry out actions for many Meetup users. The successor to OAuth 1.0a.
for apps that carry out actions for many Meetup users.
for JavaScript apps that would expose any key in their source.
for JavaScript apps that would expose any key in their source.
We support HTTPS for all API methods and strongly encourage using it for requests that have an API key parameter and for OAuth token exchange requests. HTTPS is required for OAuth 2 usage.
The Meetup API provides support for OAuth 2, the superseding specification for OAuth 1, authentication. This protocol requires all client communication with the Meetup servers to use HTTPS. If your application does not, our servers will response with a 400 error and a message asking you to do so.
We provide implementations of both the server and implicit protocol flows. We provide the following endpoints for both where necessary.
| Endpoint | URL |
|---|---|
| Authorization | https://secure.meetup.com/oauth2/authorize |
| Access Tokens | https://secure.meetup.com/oauth2/access |
Before you can use OAuth 2 for user authorization, you need to either register a new OAuth consumer or add a redirect_uri to your existing consumer by clicking the edit link next to you consumer's listing. The redirect_uri you register for a given client will be used to validate future oauth2 requests.
This uri is used as a basis for validating the address authorization requests will redirect a member to after granting or denying access to your app.
If provided, the redirect URL's host and port must exactly match the callback URL. The redirect URL's path must reference a subdirectory of the callback URL.
CALLBACK: http://example.com/path GOOD: http://example.com/path GOOD: http://example.com/path/subdir/other BAD: http://example.com/bar BAD: http://example.com/ BAD: http://example.com:8080/path BAD: http://oauth.example.com:8080/path BAD: http://example.org
OAuth 2 consumers are also valid OAuth 1.0a consumers.
This flow is suitable for applications that are capable of securely storing consumer secrets.
Redirect your user to the following URL in a browser:
https://secure.meetup.com/oauth2/authorize
?client_id=YOUR_CONSUMER_KEY
&response_type=code
&redirect_uri=YOUR_CONSUMER_REDIRECT_URI
The redirect_uri used here may vary but must start with the same redirect_uri you have registered with your consumer.
Meetup will ask the user to login if they are not already logged in. If the user has previously authorized access for the provided client_id, Meetup will immediately redirect the user back to the redirect_uri with success query parameters. If the authenticated user has not previously authorized the provided client or has revoked its access, Meetup will prompt them to authorize your application. Afterwords, Meetup will redirect the user back to the provided redirect_uri along with their response.
A successful authorization will contain these query parameters:
| Parameter | Description |
|---|---|
| code | A string that can only be used once to request an access token |
| state | An opaque string that you may provide in the initial request |
A failed authorization will contain an optional state parameter as mentioned above as well as an error query parameter with one of the following values
| Error | Reason |
|---|---|
| invalid_request | The request was malformed or missing parameters |
| unauthorized_client | The client is not authorized |
| access_denied | The user denied the request for authorization |
| unsupported_response_type | Meetup doesn't support the provided response_type |
| 4xx or 5xx | The HTTP status code of any other error |
Have your server make an HTTP application/x-www-form-urlencoded
encoded POST request for an access token with the following format:
https://secure.meetup.com/oauth2/accesswith the body of the request being (line breaks are for readability)
client_id=YOUR_CONSUMER_KEY &client_secret=YOUR_CONSUMER_SECRET &grant_type=authorization_code &redirect_uri=SAME_REDIRECT_URI_USED_FOR_PREVIOUS_STEP &code=CODE_YOU_RECEIVED_FROM_THE_AUTHORIZATION_RESPONSE
The important parameter to note is grant_type which should be set to authorization_code. The redirect_uri used in this step must be the same redirect_uri used in the previous step.
We also support the usage of query string parameters for this method.
A successful response will contain the following data in application/json format
{
"access_token":"ACCESS_TOKEN_TO_STORE",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"TOKEN_USED_TO_REFRESH_AUTHORIZATION"
}
A failure response will contain an application/json encoded string with an error property containing one of the following values
| Error | Reason |
|---|---|
| invalid_request | The request was malformed or missing parameters |
| invalid_client | Client authentication failed |
| unauthorized_client | The provided client was not authorized to use this grant type |
| invalid_grant | The provided code was invalid |
| unsupported_grant_type | Meetup does not support the provided grant type |
See the making authenticated requests section below
This flow is suitable for JavaScript based browser clients.
Redirect the user's browser to the following URL
https://secure.meetup.com/oauth2/authorize ?client_id=YOUR_CONSUMER_KEY &response_type=token &redirect_uri=YOUR_CONSUMER_REDIRECT_URI
This will ask the user to log in if they are not already logged in then prompt them to authorize your application.
The response parameters listed in the server flow's success (with the exception of refresh_token) and failure access token responses will be included in the implicit authorization's client response appended as a url fragment. Because this information is encoded in a url fragment, it can only be retrieved with client-side browser scripts.
See the making authenticated requests section below
Once received, an access_token may expire. You can refresh the access_token at any time and without involving the user by making a token refresh request. Note, this requires client credentials which users of the implicit flow should not be storing.
To refresh an access_token, have your server make an HTTP application/x-www-form-urlencoded encoded POST request for an access token with the following format, this time setting grant_type to refresh_token.
https://secure.meetup.com/oauth2/accesswith the body of the request being (line breaks are for readability)
client_id=YOUR_CONSUMER_KEY &client_secret=YOUR_CONSUMER_SECRET &grant_type=refresh_token &refresh_token=REFRESH_TOKEN_YOU_RECEIVED_FROM_ACCESS_RESPONSE
We also support the usage of query string parameters for this flow but the request method must be POST.
A successful response will contain the following data in application/json format
{
"access_token":"ACCESS_TOKEN_TO_STORE",
"token_type": "bearer",
"expires_in":3600,
"refresh_token":"TOKEN_USED_TO_REFRESH_AUTHORIZATION"
}
A failure response will contain an application/json encoded string with an error property containing one of the following values
| error | reason |
|---|---|
| invalid_request | The request was malformed or missing parameters |
| invalid_client | Client authentication failed |
| invalid_grant | The provided code was invalid |
| unauthorized_client | The provided client was not authorized to use this grant type |
| unsupported_grant_type | Meetup does not support the provided grant type |
See the making authenticated requests section below for use of your refreshed set of credentials
After successfully obtaining member authorization and an access_token you may now make authenticated API requests using HTTPS by supplying the token value in an Authorization header prefixed with bearer and a space.
curl -H "Authorization: Bearer {access_token}" https://api.meetup.com/2/member/self/
or by sending the same access token as a request parameter
curl "https://api.meetup.com/2/member/self/?access_token={access_token}"
At any time, a user may choose to revoke access to your application here. This will invalidate any access credentials your application may have been provided for that user.
In order to re-obtain authorization, your application will need to re-request authorization from the user.
Access tokens received from the implicit oauth2 flow will also expire, regardless of the ageless scope, when the user logs out of meetup.com.
In some cases, you may want to display Meetup's authorization page in a more compact way for mobile devices or
a JavaScript popup window. For these cases just append the query parameter set_mobile with a value of on.
Besides asking the user to log in or to authorize your application, a user may be asked to create an account if they are not already a member. If they choose to do so through they are sent an email verification link which. Once verified, if you are using the server flow, Meetup will redirect the user to your application with the user granted authorization.
If you are implementing an implicit client, you should be aware of this in your design. Typically these clients will open a popup window to display the Meetup login and authorization forms. If the user chooses to create an account through Meetup, after the verification step, the user will only be sent to meetup.com and not redirected to your app which, by that time will most likely have lost the local state need to handle in the incoming request in a new window.
Member registration as part of an OAuth flow can be helpful if the member wishing to log into your application is not a member on Meetup. It can also add complexity. Applications may opt out of registration by providing an additional parameter named suppress, who's value is set to reg. This will have the effect of suppressing a link to register for a new Meetup account if your application user is not already a member on Meetup. You should be clear in any of your application's interstitial views prior to redirecting your user to Meetup that your application requires an account on meetup.com.
OAuth 2 introduces the concept of access scopes which further restrict access of a consumer to a Meetup user's data. All o-authorized clients and API keys are implicitly provided the basic scope. We offer an additional scope, messaging, which enables Members and Organizers to send messages, preferences permitting, to one another. This feature is available for both OAuth 1.0a and OAuth 2 clients but not API key-based authentication.
To request this additional scope, pass a value of one or more scope names using + space encoding in the scope request parameter to the end point for obtaining a request token in OAuth 1.0a, https://api.meetup.com/oauth/request/, and the endpoint for obtaining authorization in OAuth 2, https://secure.meetup.com/oauth2/authorize.
Below is a table of the available Meetup API scopes names an their associated permissions.
| scope | permission |
|---|---|
| ageless | Replaces the one hour expiry time from oauth2 tokens with a limit of up to two weeks |
| basic | Access to basic Meetup group info and creating and editing Events and RSVP's, posting photos in version 2 API's and below |
| event_management | Allows the authorized application to create and make modifications to events in your Meetup groups on your behalf |
| group_edit | Allows the authorized application to edit the settings of groups you organize on your behalf |
| group_content_edit | Allows the authorized application to create, modify and delete group content on your behalf |
| group_join | Allows the authorized application to join new Meetup groups on your behalf |
| messaging | Enables Member to Member messaging (this is now deprecated) |
| profile_edit | Allows the authorized application to edit your profile information on your behalf |
| reporting | Allows the authorized application to block and unblock other members and submit abuse reports on your behalf |
| rsvp | Allows the authorized application to RSVP you to events on your behalf |
Note, when making a request you should be able to see which scopes have been enabled and are required using in the following headers
X-OAuth-Scopes: basic, reporting
X-Accepted-OAuth-Scopes: basic, reporting
You should also be able to see which scopes are required in the method documentation.
At this time, there is a proposal for access tokens to be associated with a token_type which determines how authenticated requests provide the access_token parameter. The two which are documented are bearer and mac, both of which are still both in early draft phases of specification. In the future, the Meetup API may require either of these in place of simply appending the access_token to a request. Application developers should be aware of this and plan accordingly.
The Meetup API supports authentication of third-party applications using the OAuth protocol. This allows your application to access a user's data and RSVP to events on behalf of the user (after they have explicitly granted permission). If you would like to set up an OAuth consumer to use for your application, you can create one here. The procedure to making requests with OAuth is as follows:
oauth_callback parameter. Set it to URL that the user will be redirected to after authorizing the application, or oob for out-of-band authentication. The response will include a key and secret for a request token.verifier is displayed as a "pin" for the user to enter into your application.Signatures are used to ensure the identity of the consumer application. Currently, the Meetup implementation of OAuth supports plaintext and HMAC_SHA1 as signature methods. For the URL portion of the signature base string, use the following values:
| Endpoint | URL |
|---|---|
| Request Tokens | https://api.meetup.com/oauth/request/ |
| Access Tokens | https://api.meetup.com/oauth/access/ |
| Protected Resources (API endpoints) | https://api.meetup.com/ |
Endpoint: https://secure.meetup.com/authenticate/?oauth_token=request_token_key
In addition to the standard OAuth 1.0a authorization flow, we support an authentication endpoint for sites that wish to use Meetup to sign in users. Under certain conditions this endpoint will immediately redirect back to the callback URL:
When these conditions are not satisfied the authentication endpoint behaves the same as the authorization endpoint, sending the user to the sign in or authorization page as appropriate.
OAuth requests must also satisfy the following requirements:
This is the easiest way to get started using the API. Simply access your API Key and append it to any request. The request's authorization will be based on your key. Remember that an API key is your personal secret key to access the Meetup API. Do not share or publish this private token. Do not access the Meetup API using an API key that does not belong to your account. To make requests on behalf of another user, use OAuth instead.
Similar to OAuth signing, this method of authentication certifies that a specific request was approved by your user account. Unlike OAuth-signed requests, key-signed requests may be reused and recycled as long as their corresponding API key is valid. A signed url can be used to interact with Meetup as if the API key were present; the difference is that parameters cannot be changed, nor can the signed key be used for other API methods.
Because requests are signed with an API key as well as a Meetup private key, it is not possible to sign requests independently from Meetup. To sign a request, a "sign=true" parameter must be used with a standard read request authorized by an API key. This causes a "signed_url" field to be returned in the response metadata.
Parameters: all of the required parameters for the standard request must be supplied, as well as the following:
Variable Parameters: Certain parameters are excluded from the URL signature calculation so that they may be updated to recycle the request.
Along with the normal results and metadata, a "signed_url" is returned that can be used to repeat the request. In JSON it is in the "meta" object, in XML the "head" element.
Get the upcoming NY Tech Meetups.
https://api.meetup.com/2/events?key=ABDE12456AB2324445&group_urlname=ny-tech&sign=true
The returned "signed_url" field to be published and reused.
https://api.meetup.com/2/events/?radius=25.0&order=time&group_urlname=ny-tech&offset=0&format=json&page=20&sig_id=123456780&sig=xxxxxx
