Skip to content

faq.mdx

Latest commit

 

History

History
54 lines (30 loc) · 3.11 KB

faq.mdx

File metadata and controls

54 lines (30 loc) · 3.11 KB
id faq
title Frequently Asked Questions
sidebar_label FAQ
sidebar_position 0
displayed_sidebar APIsSidebar

Frequently Asked Questions

This FAQ answers common questions developers have when working with Quran.Foundation APIs.

Why should I block automatic translation on Quran text returned by the API?

The API already delivers peer-reviewed translations. Auto-translating them can distort meaning and create theological inaccuracies. Disable auto-translation using the HTML/CSP techniques linked in the Content APIs Quickstart Guide.

How do I obtain OAuth2 credentials?

Submit an application to receive your client_id and client_secret. These credentials let you request authorization tokens for accessing user data.

What is the difference between Content APIs and User-related APIs?

Content APIs provide read-only access to Quran data such as chapters, verses, recitations and translations. User-related APIs manage data tied to a specific Quran.Foundation account like bookmarks and notes.

How do I use x-auth-token and x-client-id headers?

Include your OAuth2 access token in the x-auth-token header and your client ID in the x-client-id header when calling authenticated endpoints.

For web apps, the recommended pattern is to store the user session in your backend or secure httpOnly cookies and have your backend or serverless proxy send x-auth-token and x-client-id to Quran Foundation.

Why does the same request work in curl but fail in the browser?

curl usually sends no browser Origin header, while browser JavaScript does. If you call a User API directly from page code on a third-party origin, the request can be rejected by the target service's browser-origin policy even when the token itself is valid.

For confidential web integrations, route the resource request through your backend or serverless proxy instead of calling Quran Foundation directly from the page.

What are the best practices for refresh tokens?

Store refresh tokens securely and reuse them until they expire. Refresh tokens allow you to obtain new access tokens without asking the user to re-authorize.

Can I use the demo credentials quran-demo/secret in production?

No. These demo credentials are for testing only and should not be used in production applications.

How do I redirect users back to my app after logout?

Include the post_logout_redirect_uri parameter when calling the logout endpoint and pass id_token_hint (the ID token from the login response). The redirect URI must be pre-registered in your OAuth2 client's post_logout_redirect_uris configuration. If post_logout_redirect_uri is set without id_token_hint, the logout request will be rejected.

See Logout with Redirect for implementation examples.

How do I display my app's logo on the consent page?

Your logo is displayed automatically if logo_uri is configured in your OAuth2 client registration. See Client Configuration for details on setting up your client metadata.