Authenticate user with the API
Our API supports user accounts with each user having the ability managing their account resources. It’s implemented as a token based authentication. We make use of OAuth 2 – the well known standard here.
Let’s do some manual testing for better understanding. For this case we recommend httpie – a command line HTTP client with an intuitive UI with built in JSON support.
We are going to generate Client ID, Client secret, sign in an existing user (use yours credentials instead)
and get the access token from there for all future API calls.
Please note the authorization token is valid for 2 hours only. When it’s expired you must refresh your access token.
Generate Client ID and Client secret
To generate Client ID and Client secret, click Account & Settings button
across the top of your account, then click OAuth applications button.
On the OAuth application overview page click New button. Type the name of the application and select
required scopes.
Available scopes:
- public
- read_items
- write_items
- read_spaces
- write_spaces
Click the Create application button. If process is fine you should get Client ID and Client secret.
Get access token and refresh token
Httpie:
$ http POST https://app.storeman.io/oauth/token \
username=john@example.com \
password=mYsEcReT \
grant_type=password \
client_id=Awbnm2osV49A_Ci1Rp14xz61vHyiuO6ub9nSwXS9pw3 \
client_secret=DO4lzGktMA6nFPyQMGRs0kdLfp137CMfc5jELqAyzhV \
scope='read_spaces read_items write_items write_spaces'
cURL:
$ curl -XPOST https://app.storeman.io/oauth/token \
-d username=john@example.com \
-d password=mYsEcReT \
-d grant_type=password \
-d client_id=Awbnm2osV49A_Ci1Rp14xz61vHyiuO6ub9nSwXS9pw3 \
-d client_secret=DO4lzGktMA6nFPyQMGRs0kdLfp137CMfc5jELqAyzhV \
-d scope='read_spaces read_items write_items write_spaces'
If your credentials, Client ID and Client secret are fine you should get something similar to the following result:
HTTP/1.1 200 OK
Cache-Control: private, no-store
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Thu, 24 Jun 2021 22:07:20 GMT
ETag: W/"0309139a6c428599afe36a12b755c09c"
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
Server: nginx/1.18.0 (Ubuntu)
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: 01ba187b-086e-4e96-924c-aef1496de516
X-Runtime: 0.573215
X-XSS-Protection: 1; mode=block
{
"access_token": "dyGraWQiCiJQd1JubTVvcFY0OUFfSmkyUnAxNHh6NjF5SHlpdU82dWI5blN3WFF5cHc0IiwiYWxnIjoibm9uZSJ9.eyJpc3MiOiJTdG9yZW1hbiIsImlhdCI6MTYyNDU3MjQ0MCwianRpIjoiZWE4NTgwNDYtZTk3Yi00ZGFmLWEzZDQtZmM1MjV1YWI3YjI3IiwidXNlciI6jyJpZCI6eyIkb2lkIjoiNjAzZmMzOWQ4OWE2NjA0MTE1ZmZiM2NmIn0sImVtYWlsIjoiaGVscEBzdG9yZW1hbi5pbyJ9cRa",
"created_at": 1624572440,
"expires_in": 7200,
"refresh_token": "FqbrXZKyBJG1ZHKR8rHovtCP-NMt7V-Bu34svPAz8Ds",
"scope": "read_spaces read_items write_items write_spaces",
"token_type": "Bearer"
}
The access_token value is your unique authorization token to be used for authentication,
the refresh_token value is your unique authorization token to be user for refresh access_token.
Please note that the access_token type is Bearer.
Refresh access token
Httpie:
$ http POST https://app.storeman.io/oauth/token \
grant_type=refresh_token \
client_id=Awbnm2osV49A_Ci1Rp14xz61vHyiuO6ub9nSwXS9pw3 \
client_secret=DO4lzGktMA6nFPyQMGRs0kdLfp137CMfc5jELqAyzhV \
refresh_token=FqbrXZKyBJG1ZHKR8rHovtCP-NMt7V-Bu34svPAz8Ds
cURL:
$ curl -XPOST https://app.storeman.io/oauth/token \
-d grant_type=refresh_token \
-d client_id=Awbnm2osV49A_Ci1Rp14xz61vHyiuO6ub9nSwXS9pw3 \
-d client_secret=DO4lzGktMA6nFPyQMGRs0kdLfp137CMfc5jELqAyzhV \
-d refresh_token=FqbrXZKyBJG1ZHKR8rHovtCP-NMt7V-Bu34svPAz8Ds
If your credentials, Client ID and Client secret are fine you should get something similar to the following result:
HTTP/1.1 200 OK
Cache-Control: private, no-store
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Sun, 27 Jun 2021 09:07:37 GMT
ETag: W/"93de4d150f2c692acd7caefa4d8238fb"
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
Server: nginx/1.18.0 (Ubuntu)
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: be05dbf6-b501-47fb-abe9-1839f61b714d
X-Runtime: 0.401476
X-XSS-Protection: 1; mode=block
{
"access_token": "dyGraWQiCiJQd1JubTVvcFY0OUFfSmkyUnAxNHh6NjF5SHlpdU82dWI5blN3WFF5cHc0IiwiYWxnIjoibm9uZSJ9.eyJpc3MiOiJTdG9yZW1hbiIsImlhdCI6MTYyNDU3MjQ0MCwianRpIjoiZWE4NTgwNDYtZTk3Yi00ZGFmLWEzZDQtZmM1MjV1YWI3YjI3IiwidXNlciI6jyJpZCI6eyIkb2lkIjoiNjAzZmMzOWQ4OWE2NjA0MTE1ZmZiM2NmIn0sImVtYWlsIjoiaGVscEBzdG9yZW1hbi5pbyJ9cRa",
"created_at": 1624784857,
"expires_in": 7200,
"refresh_token": "mlYDlKSZaqfSnAt_jFzd1ECSwCT5I4nOo6ZX_16Q57I",
"scope": "read_spaces read_items",
"token_type": "Bearer"
}
Revoke access token
Httpie:
$ http POST https://app.storeman.io/oauth/revoke \
client_id=Awbnm2osV49A_Ci1Rp14xz61vHyiuO6ub9nSwXS9pw3 \
client_secret=DO4lzGktMA6nFPyQMGRs0kdLfp137CMfc5jELqAyzhV
cURL:
$ curl -XPOST https://app.storeman.io/oauth/revoke \
-d client_id=Awbnm2osV49A_Ci1Rp14xz61vHyiuO6ub9nSwXS9pw3 \
-d client_secret=DO4lzGktMA6nFPyQMGRs0kdLfp137CMfc5jELqAyzhV
If your credentials, Client ID and Client secret are fine you should get something similar to the following result:
HTTP/1.1 200 OK
Cache-Control: max-age=0, private, must-revalidate
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Sun, 27 Jun 2021 08:58:30 GMT
ETag: W/"44136fa355b3678a1146ad16f7e8649e"
Referrer-Policy: strict-origin-when-cross-origin
Server: nginx/1.18.0 (Ubuntu)
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: 8d22554e-e17d-4fa8-8f4a-fb07a2819891
X-Runtime: 0.144153
X-XSS-Protection: 1; mode=block
{}