I'm building PHP tools on a colleague's website to show their Instagram media on their website. I understand that the current procedure is to authenticate the application and use an access_token to fetch media.

Step One: Direct your user to our authorization URL
Step Two: Receive the redirect from Instagram
Step Three: Request the access_token

The workflow seems to be:

  1. Direct the user to the authentication URL, passing the client_id.
  2. The user authenticates and is returned to the callback URL.
  3. My page receives the returned code.
  4. Send the client_id, client_secret, and code to receive an access_token.
  5. Use the access_token to fetch media from the API.

The problem is that I will be delivering this code to my colleague and I do not want to hardcode my client_secret. So, I'm assuming I can't use my own developer account. Does my colleague need to create their own developer account, register an app, and get their own client_id and client_secret?

Would this be the correct workflow for my situation?

  1. Instruct my colleague to create a developer account, register an app, and get a client_id and client_secret.
  2. Prompt them to enter their client_id into a form on their site.
  3. Submit the form to the Instagram Authentication URL and receive the returned code.
  4. Prompt them to enter enter their client_id again with their client_secret into a form.
  5. Send the client_id, client_secret, and code and retrieve the access_token (using CURL).
  6. Store the access_token in the database for later use.

0 Answers