diff --git a/source/includes/_authentication.md b/source/includes/_authentication.md index e4a86300..473bb0bc 100644 --- a/source/includes/_authentication.md +++ b/source/includes/_authentication.md @@ -112,8 +112,7 @@ For convenience we will just write `{client_credentials}` ## Service Applications -These are not run from the end user's deployment, and hence do not need to be authorized by the user, so authorization -and accessing a token is are combined into one step for these application. +Service applications are not run on behalf of a user, so they're great for situations where you need to access and move data, but don't need to attribute the action to an individual. Authorization and accessing a token are combined into one step for these applications. ### Token Acquisition for Service Applications @@ -139,6 +138,17 @@ curl X- POST https://planet-express.api.accelo.com/oauth2/v0/token \ -d 'grant_type=client_credentials' \ -d 'scope=read(staff)' ``` + +```python +requests.post( + 'https://planet-express.api.accelo.com/oauth2/v0/token', + data={ + 'grant_type': 'client_credentials', + 'scope': 'read(staff)' + }, + auth=(client_id, client_secret), +) +``` The token endpoint: `https://{deployment}.api.accelo.com/oauth2/v0/token` @@ -187,12 +197,12 @@ A successful request will contain the following fields: ## Web Applications -Web applications require the end-user to authorize an application before it can make any requests. Hence token +Web applications are run on behalf of a user, so they're great for situations where you need to take an action, and attribute the action to an individual. To authorize a web application, the user must first authorize the application, so token acquisition requires two steps: 1. [Authorization of the application](#authorization-for-web-applications) -2. [TokenAcquisition](#token-acquisition-for-web-applications) +2. [Token Acquisition](#token-acquisition-for-web-applications) -Keep in mind for these applications that the host is the deployment for the *user* and not the web application's +Keep in mind for these applications that the host is the *user's* deployment, not the web application's deployment host. @@ -226,6 +236,17 @@ curl -X POST https://planet-express.api.accelo.com/oauth2/v0/authorize \ -d 'redirect_uri=https//planet-express.com/oauth-callback' ``` +```python +requests.post( + 'https://planet-express.api.accelo.com/oauth2/v0/authorize', + data={ + 'client_id': client_id, + 'response_type': 'code', + 'scope': 'read(companies,contacts),write(staff) + } +) +``` + Authorization is achieved through the authorize endpoint. For authorizing web applications, the endpoint takes the following parameters: @@ -370,6 +391,17 @@ curl -X POST https://planet-express.api.accelo.com/oauth2/v0/authorize \ -d 'scope=read(companies,contacts),write(staff)' ``` +```python +requests.post( + 'https://planet-express.api.accelo.com/oauth2/v0/authorize', + data={ + 'client_id': client_id, + 'response_type': 'code', + 'scope': 'read(companies,contacts),write(staff) + } +) +``` + This is done through the `/authorize` endpoint. For authorizing installed applications we have the following parameters: | Parameter | Type | Description | @@ -450,6 +482,17 @@ curl -X POST https://planet-express.api.accelo.com/oauth2/v0/revoke \ -d 'token={access_token_to_be_revoked}' ``` +```python +requests.post( + 'https://planet-express.api.accelo.com/oauth2/v0/revoke', + data={ + 'client_id': client_id, + 'client_secret': client_secret, + 'token': {access_token_to_be_revoked} + } +) +``` + `POST /oauth2/revoke` Token revocation may be necessary when read/write permissions are no longer required e.g. on log-out, authorization on @@ -491,6 +534,17 @@ curl -X POST https://planet-express.api.accelo.com/oauth2/v0/token \ -d 'refresh_token=VYfb63__vf' ``` +```python +requests.post( + 'https://planet-express.api.accelo.com/oauth2/v0/token', + data={ + 'token_type': 'refresh_token', + 'refresh_token': 'VYfb63__vf' + }, + auth=(client_id, client_secret), +) +``` + For installed and web applications if you still have a valid token, you may request a new token using the refresh token that came with it. This request uses the `/token` endpoint and accepts the following parameters: @@ -520,6 +574,13 @@ curl -X get https://planet-express.api.accelo.com/api/v0/tokeninfo \ -H 'authorization: Bearer {access_token}' ``` +```python +requests.get( + 'https://planet-express.api.accelo.com/api/v0/tokeninfo', + headers={'authorization': f'Bearer {access_token}'} +) +``` + To obtain the information of any access token the `/tokeninfo` endpoint is used. Note this endpoint is *not* located in `.../oauth2/v0` but rather `/api/v0`. It takes only a single parameter: @@ -563,6 +624,16 @@ curl -X get https://planet-express.api.accelo.com/api/v0/companies/1 \ -H 'authorization: Bearer {access_token}' ``` +```python +requests.get( + 'https://planet-express.api.accelo.com/api/v0/companies/1', + headers={ + 'Content-Type': 'application/x-www-form-urlencoded', + 'authorization': f'Bearer {access_token}' + } +) +``` + Once you have access to your token you may use it to access endpoints. This can be done by either including it as a query parameter as `_bearer_token`, or as a HTTP `Authorization: Bearer` header. For security reasons the latter is preferred. Note that including both of these will return an error. @@ -587,5 +658,3 @@ Public API. A user is limited to 100 failed authentication attempts within a 5 m the user will be 'locked out'. Any attempt to authenticate during this 'lockout' period will restart the 5 minute timer. Once the lockout period has expired, you should be able to continue to use the API as normal. - -