Authorization Flow Versions

NOTICE

2019 - Mendeley is migrating from its Legacy Authentication Flow to the new Elsevier Authentication Flow. We strongly recommend developers relying on this service to test and update your client configurations on the My Apps page. This migration will be completed by mid-2019.

Elsevier Flow - Recommended Option

Mendeley is fully integrated with the Elsevier authentication mechanism and by using this flow for your client authorization requests, users will experience an improved user journey. Additionally, it will be possible for users to register for a new Mendeley account as part of the authorization flow or even to chose to authenticate with their institution, organization or Athens account instead of their Elsevier username and password.

The outline of the flow is as follows:

1. Your client requests authorization

To start the flow, your client must redirect the browser to the authorization page, as described in Authorization code flow or Implicit flow.

2. Sign In or Register

If the user is not already signed in with their Elsevier credentials, then they will be shown the standard Elsevier sign in page:

Elsevier sign in screen

After entering their email, the user will be prompted to enter their password if they already have an Elsevier account or to register if they do not.

If the user is already signed in, then this step will be skipped.

3. Grant Access

The user will then be presented with an authorization request screen, which will look similar to that shown below:

Authorization dialog

4. Callback to your client

The callback to your client will be made when the user selects one of the options from the dialog. The structure of the callback request is the same as the legacy callback and is described in Authorization code flow or Implicit flow.

Legacy Flow - Not Recommended

When a client using the legacy flow makes a request for authorization to access a user's account, then the flow will be as follows:

1. Your client requests authorization

To start the flow, your client must redirect the browser to the authorization page, as described in Authorization code flow or Implicit flow.

2. Sign in and grant access

The user will see a single page requesting that they enter their username and password to grant access to their account.

Legacy authorization dialog

3. Callback to your client

The callback to your client will be made when the user enters a valid username and password and clicks on the Authorize button. The structure of the callback request will be as described in Authorization code flow or Implicit flow.