Skip to main content

Frequently Asked Questions

This FAQ answers common questions developers have when working with Quran.Foundation APIs.

Why should I block automatic translation on Quran text returned by the API?​

The API already delivers peer-reviewed translations. Auto-translating them can distort meaning and create theological inaccuracies. Disable auto-translation using the HTML/CSP techniques linked in the Quick Start guide.

How do I obtain OAuth2 credentials?​

Submit an application to receive your client_id and client_secret. These credentials let you request authorization tokens for accessing user data.

What is the difference between Content APIs and User-related APIs?​

Content APIs provide read-only access to Quran data such as chapters, verses, recitations and translations. User-related APIs manage data tied to a specific Quran.Foundation account like bookmarks and notes.

How do I use x-auth-token and x-client-id headers?​

Include your OAuth2 access token in the x-auth-token header and your client ID in the x-client-id header when calling authenticated endpoints.

What are the best practices for refresh tokens?​

Store refresh tokens securely and reuse them until they expire. Refresh tokens allow you to obtain new access tokens without asking the user to re-authorize.

Can I use the demo credentials quran-demo/secret in production?​

No. These demo credentials are for testing only and should not be used in production applications.

How do I redirect users back to my app after logout?​

Include the post_logout_redirect_uri parameter when calling the logout endpoint and pass id_token_hint (the ID token from the login response). The redirect URI must be pre-registered in your OAuth2 client's post_logout_redirect_uris configuration. If post_logout_redirect_uri is set without id_token_hint, the logout request will be rejected.

See Logout with Redirect for implementation examples.

How do I display my app's logo on the consent page?​

Your logo is displayed automatically if logo_uri is configured in your OAuth2 client registration. See Client Configuration for details on setting up your client metadata.