Authentication & Authorization

Gaining Access

We are mainly granting access to partners right now but if you are interested in using our data then feel free to contact us. See contact information on the main site.

Restrictions

All endpoints have defined access requirements. When requesting an access token you will also specify a scope. For all standard data points the only available scope is client (this is automatically granted by default). This scope gives you access to the endpoints that we have defined for you (these are the endpoints you see in the Explorer). If you are planning on consuming only non user related data then this is the only scope you will need, and you can access it by using the Client credentials grant.

For user data endpoints you will need to request authorization from the user for more scopes by using the Authorization Code Grant.

The current user scopes are:

  • user.reviews.write

  • user.social.read

  • user.social.write

  • user.lists.read

  • user.lists.write

  • user.alerts.read

  • user.alerts.write

You can specify multiple scopes by separating them via comma: “scope1,scope2”.

OAuth

We are using Oauth2 (RFC6749)

Getting an access token

Client credentials grant

POST: https://api.site.tld/auth/token
(x-www-form-urlencoded data):
grant_type: client_credentials
client_id: CLIENT_ID,
client_secret: CLIENT_SECRET,
scope: client

A successfull response will look like this:

access_token': a generated hash (string)
token_type': 'bearer' (string)
expires': timestamp (integer)
expires_in: seconds until expire (integer)

External credentials grant

POST: https://api.site.tld/auth/token
(x-www-form-urlencoded data):
grant_type: external
client_id: CLIENT_ID,
client_secret: CLIENT_SECRET,
id: EXTERNAL_SERVICE_USER_ID,
service: EXTERNAL_SERVICE_NAME,

An external token should be added. When the external service follows OAuth2 it looks as follows:

token: TOKEN_STRING

When external service is OAuth1 the token should have the following format:

token[identifier]: TOKEN_IDENTIFIER
token[secret]: TOKEN_SECRET

Response has the same format as Client credentials grant.

Authorization Code Grant

GET: https://api.site.tld/auth?client_id=CLIENT_ID&redirect_uri=REDIR_URI&response_type=code&scope=SCOPES&state=STATE

The responding url will contain error on failure, or code and refresh on success.

If the authorization was successfull you can now request an access token with the auth code you got:

POST: https://api.prisjakt.nu/v1/auth/token
(x-www-form-urlencoded data):
grant_type: authorization_code
client_id: CLIENT_ID,
client_secret: CLIENT_SECRET,
redirect_uri: REDIR_URI,
code: AUTH_CODE

Refresh Token

POST: https://api.prisjakt.nu/v1/auth/token
(x-www-form-urlencoded data):
grant_type: refresh_token
client_id: CLIENT_ID,
client_secret: CLIENT_SECRET,
refresh_token: REFRESH_TOKEN