SurveyMonkey implements the authorization code grant framework of OAuth 2.0 as described in the RFC here: http://tools.ietf.org/html/rfc6749#page-24
+-------------+
|SurveyMonkey | O
|Account | /|\
|Owner | / \
+-------------+
^
|
(B) http://api.surveymonkey.net/
+-----|-------+ Client ID & API key +----------------+
| -+----(A)-- & Redirection URI ---->| |
| User- | | |
| Agent -+----(B)-- User authenticates --->| SurveyMonkey |
| | | API Server |
| browser | 302 redirect w/ | |
| -+----(C)-- Authorization Code ---<| |
+---|----|----+ in query parameter +----------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+-------------+ | |
| |>----(D)-- Authorization Code --------' |
| Client | & Redirection URI |
| Application | |
| |<----(E)----- Access Token ------------------'
+-------------+
The flow illustrated here includes the following steps:
(A) The client initiates the flow by directing the SurveyMonkey user's user-agent to the authorization endpoint URI. The client includes its client ID, API key and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied). The redirection URI encoded in the authorization URI must match the URI configured when the application was registered.
Authorization endpoint: https://api.surveymonkey.net/oauth/authorize
(B) SurveyMonkey's API server authenticates the SurveyMonkey account owner (via the user-agent/browser) and establishes whether the account owner grants or denies the client's access request.
(C) Whether the account owner grants access or not, the API server redirects the user-agent back to the client using the redirection URI provided earlier in the request and during application registration. The redirection URI includes an authorization code as a query parameter named "code" if access was granted and a parameter "error" if it was denied.
(D) The client requests an access token from the API server's token endpoint by including the authorization code received in the previous step. When making the request, the client authenticates with the API server by providing the API key as a query parameter "api_key" along with fields "client_secret" and "redirect_uri" in a from-encoded (Content-Type: application/x-www-form-urlencoded) POST. This is the only time the client secret is used. The form POST must also include the code obtained in step (C) as a field "code" and a field "grant_type" set to "authorization_code".
Code exchange endpoint: https://api.surveymonkey.net/oauth/token
(E) The API server authenticates the client, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect the client in step (C). If valid, the authorization server responds back with an access token in the JSON encode response body in value of a key named "access_token".
Your client_id is your Mashery username
Your application name and redirect_uri can be found here:
https://developer.surveymonkey.com/apps/myapps
Your API key, client_secret and rate limits can be found here:
https://developer.surveymonkey.com/apps/mykeys
Here are some example links from our API console:
Access Denied Callback
https://api.surveymonkey.com/api_console/oauth2callback?error_description=Resource+owner+canceled+the+request&error=access_denied
Python Example Application
https://github.com/SurveyMonkey/python_guides/blob/master/guides/authorization.py