QR code authentication
As an alternative to patron authentication, you can authenticate users with your product via a QR code flow. This flow doesn't require you to have access to users' library, school, or corporate credentials.
To use the QR code flow:
- Direct users to the OverDrive QR code page.
- From there, users can scan a QR code, or use a link alternative if they can't scan the code, and sign into OverDrive services.
- After authenticating, users are redirected to a URL (set by you) with an auth code.
- Exchange the auth code for the user's access token.
Directing users to the QR code page
To direct users to the OverDrive QR code page, send a GET request to this URL:
Resource URL
https://oauth-patron.overdrive.com/device/initiate?{parameters}Query parameters
Your GET request must include the following URL-encoded parameters:
| Parameter | Description |
|---|---|
| redirect_url | The URL where the user is sent once they successfully sign in. We will append the user's auth code as a query parameter to this URL. |
| abandon_url | The URL where the user is sent if they leave the QR code flow before successfully signing in. |
| error_url | The URL where the user is sent if there's an error during sign in. |
| website_id | The ID for the OverDrive collection that the user is signing into. If you need your website ID, contact support. |
| client_id | Your API client key, provided by OverDrive when you've been approved for API access. |
Example request
GET https://oauth-patron.overdrive.com/device/initiate?redirect_url={website}&abandon_url={website}&error_url={website}&website_id={ID}&client_id={client key}This request redirects the user to an OverDrive page with a QR code that they can scan with a mobile phone or tablet. If they can't scan the QR code, the page provides a URL and 8-letter code that the user can enter manually in a web browser.
Once the user selects a sign-in method, they'll be prompted to select their library (if needed); sign in with their library, school, or corporate credentials; and approve access for your API client.
Best practice: Make sure your API client has a friendly name configured. This name will be visible to users when they approve access.
Completing user authentication
When the user successfully signs into their library or school, they'll be sent to the redirect_url provided in your GET request. The redirect_url will have a 64-character auth code appended as a query parameter, which you can exchange for an access token.
To get the access token, send a POST request to this URL:
Resource URL
https://oauth-patron.overdrive.com/patrontoken/code
In the POST request:
- Combine your client key and client secret like this: clientKey:clientSecret.
Note: Both the clientKey and clientSecret are case sensitive. - Use your language's libraries to encode the combined secret and key using a Base64 algorithm.
- Apply the string to the Authorization header like this: Basic {Base64-encoded string}
- Add the required properties to the request body:
- grant_type=authorization_code.
- code: The 64-character authentication code appended to the redirect_url.
- Format the form-encoded request body like this:
grant_type=authorization_code&code={auth code}
Example request
POST /patrontoken/code HTTP/1.1
Host: oauth-patron.overdrive.com
Authorization: Basic {Base64-encoded client credentials}
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
grant_type=authorization_code&code={auth code}Example response
200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Date: Fri, 25 Apr 2025 15:09:26 GMT
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 1493
Content-Type: application/json; charset=utf-8
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"Bearer",
"expires_in":3600,
"scope":"LIB META SRCH AVAIL PATRON PATRONINT website:12345 ilsname:default"
"refresh_token": "3ZpuoZZTPOjrzz3sicAhaAa"
}In the response, you'll get:
- The token_type and access_token, which you'll need for future Circulation and Discovery API calls in the Authorization header. For example:
GET /v1/patrons/me HTTP/1.1
Host: api.overdrive.com
Authorization: {token_type} {access_token}
User-Agent: {Your application} - When the token expires (expires_in), which is 3600 seconds (or one hour). Once expired, you'll need to request a new token or your API calls will return a 401 error.
- The scopes, which tell you which APIs you have access to:
- LIB: Library Account API
- META: Metadata API
- SRCH: Search API
- AVAIL: Library Availability API
- PATRON: Use the Circulation APIs (Patron Information, Checkouts, Holds) with patron auth or QR code auth in the production environment.
- PATRONINT: Use the Circulation APIs with patron auth or QR code auth in the integration environment.
- DEVICELOGIN: Use the Circulation APIs with QR code auth in the production environment.
- DEVICELOGININT: Use the Circulation APIs with QR code auth in the integration environment.
Note: You’ll also have access to the Magazine Issues API and Digital Inventory API, which won’t appear as scopes.
- A refresh_token that you can use to refresh the user's access token for up to 30 days.
Refreshing a user's access token
To refresh a user's access token, send a POST request to this URL:
Resource URL
https://oauth-patron.overdrive.com/patrontoken/refresh
The request should be formatted similarly to your POST request to the code endpoint, but the properties in the request body should be:
- grant_type=refresh_token.
- refresh_token: Use the refresh token returned in the POST response from the code endpoint.
Example request
POST /patrontoken/refresh HTTP/1.1
Host: oauth-patron.overdrive.com
Authorization: Basic {Base64-encoded client credentials}
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
grant_type=refresh_token&refresh_token={token}A successful response will return the same information as the response from the code endpoint, including a new refresh_token that you can use in your next POST request to the refresh endpoint.