Skip to main content

Version 4 of the TMDB API uses OAuth 2.0 for authentication, which is more secure and versatile than the API key system used in v3. This authentication method allows applications to access user-specific data with proper user consent. Follow this steps below for your authentication:
1

Create a Request Token

To begin the authentication process, you need to create a request token by making a POST request to the TMDB API.
curl -X POST \
  https://api.themoviedb.org/4/auth/request_token \
  -H 'Content-Type: application/json' \
  -d '{
    "redirect_to": "https://www.themoviedb.org/"
  }'
Response
{
  "success": true,
  "expires_at": "2025-03-07T10:00:00.000Z",
  "request_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
  • The redirect URL (or callback) is an optional parameter you can include with this request. It will execute the request token and grant approval on TMDB.
  • The request_token is valid for 60 minutes
2

Asking for approval on TMDB

Next, In order for a user to approve the request token, they have to be redirected to the website.
https://www.themoviedb.org/auth/access?request_token={request_token}
Ensure you replace request_token with the token received in the previous step.
3

Create an Access Token

After the request_token has been approved, exchange the request token for an access token.
curl -X POST \
https://api.themoviedb.org/4/auth/access_token \
-H 'Content-Type: application/json' \
-d '{
    "request_token": "your_request_token"
}'
You’ll receive a response containing an access token and account ID:
{
  "success": true,
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "account_id": "12345678"
}
Store this access token securely. Unlike the request token, this access token does not expire unless revoked by the user from their TMDB account settings.
4

Using the Access Token

Finally, use the access token in the Authorization header to make authenticated API requests.
curl -X GET \
https://api.themoviedb.org/4/account/12345678 \
-H 'Authorization: Bearer your_access_token'
Replace 12345678 with the actual account ID you received in the previous step.
You can now access user-specific endpoints and perform actions on behalf of the user.