Authentication

Authentication at Logitech and the Circle API is supported via the OAuth2 standard with the authentication code pathway for 3rd party clients. You will be issued an OAuth2 client id / secret and an API Key by our team once you have provided Logitech with the list of authorized redirect_uri's. Logitech will work with partners to determine which Permissions will be allowable. When requesting an OAuth2 token, you must specify the Permissions via the OAuth2 scope parameter. Logitech issued OAuth2 refresh tokens are good for 60 days. Requesting a new access token using a refresh token, will result in a new refresh token being returned which is good for 60 days. Token revocation is supported via RFC 7009.

To learn about OAuth2 in general, please see here.

The Logitech OAuth2 endpoints are as follows:

https://id.logi.com/
https://accounts.logi.com/identity/oauth2/token
https://accounts.logi.com/identity/oauth2/revoke

When interacting with the Circle API Server (api.circle.logi.com), all client applications must also pass their API Key as a custom header value. Do NOT send this header to the id.logi.com or accounts.logi.com OAuth2 endpoints. This header is named X-API-Key

X-API-Key: <api key>

The Circle API Server will enforce rate-limiting, quotas and requests-per-second throttling on all third-party Client Applications.

As a partners usage grows, Logitech will work with that partner to establish the proper limits. During the development phase, a partners limits will be set very low. Requests which have been rate-limited will return a 429 - Too Many Requests error.