This is my very first application I'm developing for an internal business requirement and I'm needing some help getting started.
So far I have found their documentation to be quite low in terms of standards but with a lot of Googling and research, I've managed to get a successful request producing an Access Token.
I have used Composer to download Guzzle and create a little code that listens to a GET request and I POST some details up and received the token. Great!
What now? It looks like I need to register a web hook but first I want to start with listing hooks - just to get a feel for what I need to do next.
I'm looking to retrieve order details each time a order is placed.
Questions:
I have a oauth.php file hosted on a SSL host which is called when I install a app. This gives me a token. Do I straight after receiving the token, register the web hook?
If that is a yes, do I now create a webhook.php file which listens for orders placed in real time?
If that is a yes, do I need to run the same code I have in oauth, to check if I'm allowed and if so, listen to the call and process?
Once you have an access token, you can create/list webhooks at any time. According to the sparse documentation, your access token will expire in 30-60 days, so you will need to eventually renew it.
Once you have created the webhook you will need a script in place to receive the incoming data from BigCommerce. If the webhook receives an HTTP code other than 200 from the script, it will attempt to repeat the request with a delay, and after a number of failures will eventually mark the hook as inactive.
You don't need any oauth related code on the script that is being triggered by webhooks. If you do want some form of authentication to verify the source of the data, look into the documentation on sending custom headers with the webhook requests. When the webhook triggers it will send a JSON object that contains the scope and ID of the resource that was changed.
It should be noted that while you need an HTTPS URL for both the oauth process and the webhook triggers, the webhook triggers will not work unless your SSL has all intermediate certificates loaded. You can get through the OAuth process without this, but the hooks will simply not work, to the extent of not even hitting your servers access logs.
Related
Windows 2012, PHP 7.4.
I having a really hard time getting this going, and the more I fuss with it the more confused and frustrated I become. I'm already behind on the project, so I need to start asking questions.
Working server-side: everything is handled by our application: click a button, it does all the processing without any further interact.
The task is "simple": send a PDF out for remote signing. Signature tabs are already placed in the PDF, all I have to do is SEND.
Question #1: Getting the JWT token and requesting application consent is a process, but it only has to be done once per application, right?
Question #2: The SDK seems to be overkill. I've written against REST APIs before and I'm comfortable working in that world. So, SDK vs. manually writing what I need. Advice? And whichever choice is preferred, where do I start?
Appreciate any help.
Question #1: Getting the JWT token and requesting application consent is a process, but it only has to be done once per application, right?
Getting consent from the user who will be impersonated by your app is a one time process. Depending on your use case, the "user" could be a "system user" such as finance#example.com or the user could be a specific person.
More on getting consent.
The access token that you get back from the JWT grant flow lasts an hour. So you'll need to repeat the JWT call if you need to make another API call after that. Please do not create a new JWT grant for each API call! Cache the access token.
Question #2: The SDK seems to be overkill. I've written against REST APIs before and I'm comfortable working in that world. So, SDK vs. manually writing what I need. Advice? And whichever choice is preferred, where do I start?
Half of the developers who use the DocuSign eSignature REST API call the API directly. So we're happy for you to do that if you prefer.
Create the request object as a PHP associative array, convert it to JSON and then call the API using your favorite HTTPS request library.
If you have a problem doing so, open a new StackOverflow question.
I have an API developed in PHP for my Flutter web app. I am using this API to fetch all the data. But, I can see all the requests made to the server.
Is there any way to hide/restrict any unauthorized person to use my API? I am using HTTP library to make calls from my flutter app to API. I just want to hide those calls to web API. I have seen some websites do that. Since the server code and website code in those websites are in the same directory it can be accessed directly without having to make a request to the webserver.
Two problems I see are
You are able to see all the request made to backend server from your web page and you want to hide them.
The answer to this is No you cant. I say this based on my search in google and some posts in SO like this
You may think about disabling the developers tools. The answer is No and maybe with unknown side effects.
Is there any way to hide/restrict any unauthorized person to use my API?
The answer to this question is yes and can be done in many approaches. Like you said token based authorization has its own issue with keys being leaked and thats why there is always validity associated with it and should be considered. There are mechanisms such as refresh tokens to renew tokens etc.
The first and foremost thing I would do is enable CORS mechanism in your sever where the server will only allow request from very specific domains to be processed. More details available here
I need to use Quickbooks online API to synchronize data between my system and my client's accounts on quickbooks.
I need to know if is it possible to complete the oauth2 authorization flow and make API calls without human interaction (without the need to interact with Intuit's authentication and authorization windows)?
I read the Intuit's docs on: https://developer.intuit.com/docs/0100_quickbooks_online/0100_essentials/000500_authentication_and_authorization/connect_from_within_your_app
On the first step, I made a GET request to:
https://appcenter.intuit.com/connect/oauth2?client_id=MY_ID&scope=com.intuit.quickbooks.accounting&redirect_uri=https%3A%2F%2FMY_NGROK_URL.ngrok.io%2FOAuth2PHPExample.php&response_type=code&state=RandomState#/Authorize/COMPANY_ID
Then, the Intuit's authentication and authorization windows opens and I need to put my username and password and then, click in the authorize button to get the authorization code.
Is there a way to obtain the authorization code without authenticate and authorize?
I need to automate this task to make API calls in the backend with PHP.
Thanks,
Marcelo.
Is there a way to obtain the authorization code without authenticate and authorize?
No... but read below.
I need to automate this task to make API calls in the backend with PHP.
You are misunderstanding how OAuth (either 1 or 2) works.
The very first time you connect you will be prompted to authenticate/authorize access to the QuickBooks Online data.
You are then given a refresh token (or access token depending on if you're using OAuth2 vs. OAuth1).
You then store that refresh token (or access token for OAuth1) and can use that token going forward to make your requests, unattended, without requiring the user to be involved at all.
Key take-away: You only need the user involved the VERY FIRST TIME you connect, and then never again.
I'm new to the Valence API and Desire2Learn/Brightspace and I'm unable to make successful API calls. Currently I'm using the language bindings at the Valence Site, and can authenticate properly. However, I have made the "Get Versions" call to work sometimes, but I have not been able to make any other call, even while using the user credentials that are supplied. Any other call and I receive a 400 Bad Request header.
All of the fields are left as the defaults, including the host which is "valence.desire2learn.com". If anybody can help solve my issue I would immensely appreciate it.
EDIT: I discovered that my problems lie with the server that I was testing against. If I change the host parameter to the URL that the API test tool uses (devcop.brightspacedemo.com), I can make API calls again.
The host you mention is a public test, demo site. The fact that you can make a GET versions call (which only needs to be made anonymously), but no other call leads me to wonder if you have appropriate user credentials for that site?
1 - Is possible to run upload/download of files to google Drive API using always the same access token, a sort of shared host for all my site's users, where they can upload and download directly files? if yes how to do that? Just using "static" access token variable in php client creation/authorization?
2 - Why i setted up my web application project on google api console enabling Gdrive api and it still tells me that my redirect url mis-match? i created the app about mmm... 2/3 hours ago. Need to wait more? I checked the url and they both matches on my script and in console api.
3- As i see from the api console, is possible to require more quotas reached the 500K requests per day, how it works? does this require for billing? How much more quotas can i ask and in which cases?
Thanks.
1) instead of sharing someone's credentials, you should use Service Accounts. Remember that access tokens expire in one hour, so your approach would still need to take care of refreshing those tokens.
2) there's no delay between the time you configure your credentials in the APIs Console and the time they are live. Please double check that your redirect URL matches exactly the one in the APIs Console, including trailing slashes and http/https.
3) if you need more quota you'll have to fill a form explaining what you need. No billing is required when if additional quota is granted.