The support.orcid.org website is on a UserVoice platform that has a different privacy policy from our other sites. You may view the details at http://support.orcid.org/tos
X

How do redirect URIs work?

There are three options for registering redirect URIs with your client credentials.

  1. Register no redirect_uris at all
    If the client app is configured with no redirect_uris, then any redirect_uri can be used. This is less secure than specifying redirect_uris. The redirect_uris give an extra level of security because they prevent somebody using someone else's stolen client credentials (because we would never redirect to their domain - they would also have to have control over the user's DNS to get round that!). For more on the potential risks here, you may enjoy this short post staring "Evil User": OAuth 2.0 Redirection URI Validation. Because of the potential risks, we only allow this option on the Sandbox API.

    When registering for credentials, if you do not want any redirect URIs registered request no redirect URIs in the notes field.

  2. Register just the host name
    If the client app is registered with a redirect_uri that is just the host name, then any redirect_uri at that host can be used. So, for example if the following redirect_uri is registered: https://thirdparty.com

    then all of the following redirect_uris will work
    https://thirdparty.com/oauth/callback1
    https://thirdparty.com/callback2
    https://thirdparty.com:8080/callback
    https://thirdparty.com/anything-else-as-long-as-the-host-is-the-same

    If you decide that this approach might work for you - you can perhaps handle the URIs by registering all of the redirect URIs in one of your domains and then redirect again to the appropriate domain.

  3. Register all redirect_uris fully
    This is what is encouraged on the registration form and is what most third parties do.

Frequently Asked Questions about the ORCID API

  1. What is an API? What is OAuth?
  2. Does the API have an admin page?
  3. What is an integration?
  4. How do redirect URIs work?
  5. What's the difference between the Public and Member APIs?
  6. Is the Sandbox different from the Production Registry?
  7. Why am I not receiving messages from the Sandbox?
  8. Can I create ORCID records for my researchers using the API?
  9. Who controls the ORCID record?
  10. What if the researcher already has an ORCID record and registers a new one?
  11. How do you check for duplicate ORCID records?
  12. Why don't I see email addresses in the ORCID records I access?
  13. Can data on an ORCID record be entirely private?
  14. How can I find out when a researcher edits their record?
  15. How do I get my organization listed as a “Trusted Party” on a researcher’s ORCID Record?
  16. How do I get my system added to the ORCID Search & Link Wizard list?
  17. What schema does ORCID use?
  18. What version of the schema should I use?
  19. How will I be notified of changes and updates to the API and schema?
  20. What format can I export records in? Can I get them in a CVS or XLS spreadsheet?
  21. How long do access tokens last? Can I get one that doesn’t expire?
  22. What does this error code mean?
  23. What information is required when adding a work?
  24. What citation format do you prefer?
  25. What information should I add about work contributors?
  26. If a researcher already has a work with the same DOI as a work I add, will it be duplicated?
  27. If a researcher runs an import from my system twice, will the works be duplicated in their ORCID record?
  28. How are organizations identified in ORCID?

Feedback and Knowledge Base