Chess.com implements OAuth 2.0 and OpenID Connect (OIDC) industry standard protocols to grant third-party applications access to user data.
This document explains how applications can use Chess.com OAuth 2.0 endpoints to implement authorization and ultimately obtain user data and access Chess.com APIs.
To get started, you need to fill the form for requesting access to Chess.com OAuth and API services. After we review and approve your request, we will provide you with the client credentials so you are all set for using OAuth server.
After OAuth client is created, your application can interact with Chess.com's OAuth Server, specifically using Authorization Code flow that allows you to get an authorization code that you exchange for an ID Token, an Access Token and a Refresh Token.
The following diagram illustrates the key steps:
For added security, Chess.com supports the Proof Key for Code Exchange (PKCE) protocol. While the use of PKCE is required only for public clients that cannot keep a secret, for example single-page or mobile apps, it is highly recommended for confidential clients as well for helping protect against authorization code injection attacks.
To implement the protocol, for every authorization request create what is known as a "code verifier", which is a high-entropy cryptographic random string of length between 43 and 128 characters. It can only contain [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~" characters.
The second part is to create a "code challenge", by Base64URL encoding the resulting SHA256 hash of the code verifier: Base64UrlEncode(SHA256Hash(code_verifier)). Code challenge is sent to the authorization server in the next step.
To begin the Authorization Code flow, send the authorization request to Chess.com’s OAuth 2.0 endpoint which is at https://oauth.chess.com/authorize. The following table defines query string parameters accepted by the endpoint.