Updating message authorization code
The Apple News API authenticates clients using message authentication codes (MAC) — specifically, hash-based message authentication codes (HMAC).
MAC/HMAC is a common authentication mechanism for REST APIs.
While the steps outlined above, indicate the tasks required by a client application to authorize an API request, we recommend taking advantage of a library in your application.
Many OAuth 2.0 client libraries are available for a wide range of languages and environments.
A refresh token is valid indefinitely and provides ability for your application to schedule tasks on behalf of a user without their interaction.
Your application should warn users they will be asked to authorize using their Mendeley account before initiating an action that requires authorization because users' web browsers will redirect to another site.
The state value must be kept secret from the client and is required later in the access code exchange stage so your application should persist the value, perhaps in server-side session storage.
Use the URL, constructed in the previous step, to ask the user to authorize using their Mendeley credentials.
User authentication errors, including incorrect email address or password, are resolved within the authorization process and your application does not have to handle errors for the user.
Access tokens, obtained using authorization code flow, provide permissions for your application to manipulate documents and other resources on behalf of a Mendeley user and make requests for all API resources.