Flickr Authentication API
Mobile Applications How-To

This is a simple step-by-step guide to creating a mobile application using the Flickr Authentication API. A full spec of the API can be found here. See also: web how-to, desktop how-to.

1. Obtain an API key

Every Flickr API application needs to obtain an API 'key'. You can apply for a key here.

2. Configure your key

Once you've been issued a key, it will appear in this list. Click on the 'Not configured' link for your key to start the configuration process.

Note down the Shared Secret - you'll need it in a moment.

Title and Description are required for all applications - the Logo is optional. The Application URL should point to a page on your website describing your application, but is optional. All four of these fields are used when asking a user if they want to allow your application to authenticate them.

Select Mobile Application for your Authentication Type. You can then choose a permission level for your application. The choices are as follows:

Note down your authentication URL (it should be shown under the permission settings). It should look something like this: http://www.flickr.com/auth-12345678

3. Obtain a mini-token

Send the user to the authentication URL you obtained above. You can either link the user to this page from your application's download page, or have the application ask them to visit the url.

Once a user has completed the auth process on flickr.com, the will be given a 9 digit code, for example: 123-456-789.

You should prompt the user to enter this code into your application. Our recommended format is to provide three separate boxes, but a single text input will work:

4. Exchange the mini-token for a full token

If you're using an API kit (you can see a list here) then you can use the provided function to make authenticated and signed API calls. Please check the documentation for your API kit for details.

To obtain a full authentication token, you call the flickr.auth.getFullToken method.

This call requires a signature, in addition to the api_key and mini_token arguments. In our examples, our API key is 9a0554259914a86fb9e7eb014e4e5d52, our shared secret is 000005fab4534d05. To generate a signature, we take our shared secret to prepend it to an alphabetically sorted list of arguments. In this example, our arguments are:

So our signature string is:

000005fab4534d05api_key9a0554259914a86fb9e7eb014e4e5d52methodflickr.auth.getFullTokenmini_token123-456-789

We then take the MD5 sum of this string and use it as our signature. It should be added as a named argument called 'api_sig'. Our argument list now looks like this:

The response to the method call looks like this:

<auth>
	<token>45-76598454353455</token>
	<perms>read</perms>
	<user nsid="12037949754@N01" username="Bees" fullname="Cal H" />
</auth>

<perms> should contain the permissions you requested. The <token> element contains the token - this is a value you'll need for making authenticated API calls - it ties a specific user to your application's API key, with a specific level of permissions.

5. Make an authenticated call

Once you have a token, you can make an authenticated method call. In our example we'll call flickr.blogs.getList to get a list of configured blogs for the user.

In addition to the usual method arguments we pass the token, as the named argument auth_token. After adding the token to the argument list, we generate a signature as before. The argument list is:

So our signature string is:

000005fab4534d05api_key9a0554259914a86fb9e7eb014e4e5d52auth_token45-76598454353455methodflickr.blogs.getList

The MD5 sum of this, our signature, is 09f16d79f53bc24f440149af875cdf9d.

Every authenticated call requires both the auth_token and api_sig arguments.