# Backend setup

Your backend must support OAuth 2.0 token exchange to obtain Spotnana tokens on behalf of your users.
This page explains the backend setup process:

## Get client credentials from Spotnana

Spotnana will provide you with a unique `client_id` and `client_secret` which you'll use to request an access token every time a user logs in to the platform. Store the client secret securely and never expose it in your codebase.

## Create a get user detail API endpoint

You must create a **get user detail** API in your system. Spotnana will use this API to validate the identity of the logged in user. The API call from Spotnana will contain the user's bearer token. Your **get user detail** endpoint must return the user's email address from your system.

For example, Spotnana sends an API request with the following format:


```
GET https://api.yourcompany.com/v1/user-detail
Authorization: Bearer <user_bearer_token>
```

Your endpoint should return a JSON response containing the user's email as shown below:


```json
{
  "user": {
    "email": "user@yourcompany.com"
  }
}
```

**Notes:**

- If your response cannot include a field called **email**, contact your Spotnana account representative to set up a custom mapping.
- The email address must be the same as the one used to create the user's profile on the Spotnana platform.


We'll use this information to verify the user's identity within our system.

## Token exchange request

To obtain a Spotnana access token on behalf of the user, your system must send a POST request to the [OAuth token generation](/openapi/authapi/authentication/fetchoauth2token) endpoint.

Here's a sample API request schema:


```shell
curl -X POST "https://api-ext-sboxmeta.partners.spotnana.com/v2/auth/oauth2-token" \
  -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
  -d "client_id=<YOUR_CLIENT_ID>" \
  -d "client_secret=<YOUR_CLIENT_SECRET>" \
  -d "subject_token=<YOUR_USER_TOKEN>" \
  -d "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
  -d "scope=openid"
```

Here's a sample response:


```json
{
  "access_token": "eyJraWQiOi...",
  "refresh_token": "eyJjdHkiOi...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "openid"
}
```

The table below explains the different parameters used in the [OAuth token generation](/openapi/authapi/authentication/fetchoauth2token) API request:

| Parameter  | Required?  | Description  |
|  --- | --- | --- |
| `grant_type` | Yes | Must contain the value: `urn:ietf:params:oauth:grant-type:token-exchange`. |
| `client_id` | Yes | Your Spotnana client ID. |
| `client_secret` | Yes | Your Spotnana client secret. |
| `subject_token` | Yes | The user's access token. Spotnana will use this as a bearer token to call your [get user detail endpoint](#create-a-get-user-detail-api-endpoint) to identify the user. |
| `subject_token_type` | Yes | Must contain the value: `urn:ietf:params:oauth:token-type:access_token`. |
| `scope` | Yes | Must contain the value: `openid`. |