So I like to use the vimeo API in a WordPress plugin.

Its seems to me there are actually 3 different ways how to do this.

So my guess is that I could setup my website with video as 'master' application and through their complicated authorization process let users authenticate my app to do things. I am not sure how this exactly works ...

Because I plan to use this commercially I would have to register my plugin as a commercial application with video. Not that I expect to be rejected by them but I like the idea of my users have their own sites be their own application even if this means longer setup for them.

I have seen one plugin (codeflavors vimeo post Lite) offer settings for client id and client secret to the user and then does a request to get a API token specific for the user so basically every user has their own app registered on vimeo.

/**
 * Constructor, fires up the parent by providing it with
 * client ID, secret and token, if any
 */
public function __construct( $args = array() ){
    // set plugin settings
    $this->settings = cvm_get_settings();
    // set the token
    $token = null;
    if( !empty( $this->settings['oauth_secret'] ) ){
        $token = $this->settings['oauth_secret'];
    }else if( !empty( $this->settings['oauth_token'] ) ){
        $token = $this->settings['oauth_token'];
    }       
    // set up redirect URL
    $redirect_url = admin_url( 'edit.php?post_type=' . cvm_get_post_type() . '&page=cvm_settings' );
    // start the parent
    parent::__construct( $this->settings['vimeo_consumer_key'], $this->settings['vimeo_secret_key'], $token, $redirect_url );

I do not understand this part of their code, the part where the token is either a oauth_secret or a oauth_token

But I actually already integrated their code ignoring that oauth_secret part so users can generate their token in the WP Admin page if my plugin when they put their vimeo secret and id in.

But now I found 2 other plugins that seem to just use tokens.

define( 'VIMEOGRAPHY_ACCESS_TOKEN', 'eaf47146f04b5550a3e394f3bbf8273f'); they have their token just public-ally in their code. Is this intended to be used this way?

I also found out in the Vimeo app setup that you can generate a token right there. "Generate a token for script or testing". And I seen yet another plugin instructing users to generate their token there and drop that token in the WP Admin page.

So I am a bit confused but my guess is I could just use my own token for public data and when users need private data I could just instruct then to generate their own token and use that and actually skip all this complicated authorization stuff. Even though there is a official api for it to me its seems simpler and easier to maintain to just let them use a token like a api key for other APIs.

So my question is am I right about this. And what are the advantages to going the complicated route. If I can just let my users generate their own tokens?

Authentication tokens with the Vimeo API can be broken down into three types:

• Unauthenticated (client credentials)
• Authenticated (OAuth2 flow)
• Authenticated (Personal access token)

Unauthenticated/client credentials tokens can only be used to get public data from Vimeo, and are generated from the client_id and client_secret values.

Authenticated tokens can be used to get both public and private data from Vimeo, when granted the appropriate scopes. Authenticated tokens are generated in one of two ways:

1. Send the enduser through the OAuth2 flow, where they authorize your application to perform actions on behalf of their Vimeo account

2. Generate a "personal access token" on the app management page. This token is authenticated to the app creator's account.

Usecases vary, of course, but here are some general examples of when to use each of these types of tokens:

• Unauthenticated - Use if your application will only ever need to retrieve public data from Vimeo.
• Authenticated token via OAuth - Use if your application will be used by other users and will need to get data on Vimeo private to those user's accounts.
• Authenticated token via personal access token - Use if your application will only ever be used by the your own Vimeo account and will need to get data private on your account.

Each of the services you mention should outline what type of authentication token they require. They may need you, as the enduser of their application, to go through the OAuth2 flow and authorize the application to perform actions on behalf of your Vimeo account. They may also need you to generate an application on the Vimeo Developer site, and either provide the service with your application's client_id/secret, or create a personal access token and provide the service with that token.

I hope this information helps!