Platforms | oAuth 2.0 API Client for Backend Integrations
Harsha Vardhan
started a topic
about 1 year ago
Introduction
oAuth 2.0 API Client flow allows authorizing server-to-server integrations using temporary access tokens (called JWT). Examples of server-to-server integrations include any custom integration service to update data in Capillary or to generate a report; any integration with a 3rd party server such as an ecommerce, marketing or survey platform; centralized POS integration where API requests come from an API gateway, etc. oAuth 2.0 can be set up by creating an API client credential (Client Key and Secret) with a token expiry duration and API read/write permissions. This credential is then used for generating temporary access tokens. The existing Till User Name (TUN) and Password based basic authentication will continue to exist. Depending on the type of integration, oAuth 2.0 or basic auth can be used.
When to Use Basic v/s oAuth 2.0
Basic
oAuth 2.0
Shall be used for POS integrations where API requests come to Capillary server directly from POS front end or POS store server
Shall be used for backend to backend integrations e.g. POS integrations where API requests come to Capillary server from API gateway or a central server, FTP integrations where backend service need to be authenticated, 3rd party integration where API requests come to Capillary from a backend platform
Harsha Vardhan
Introduction
oAuth 2.0 API Client flow allows authorizing server-to-server integrations using temporary access tokens (called JWT). Examples of server-to-server integrations include any custom integration service to update data in Capillary or to generate a report; any integration with a 3rd party server such as an ecommerce, marketing or survey platform; centralized POS integration where API requests come from an API gateway, etc. oAuth 2.0 can be set up by creating an API client credential (Client Key and Secret) with a token expiry duration and API read/write permissions. This credential is then used for generating temporary access tokens. The existing Till User Name (TUN) and Password based basic authentication will continue to exist. Depending on the type of integration, oAuth 2.0 or basic auth can be used.
When to Use Basic v/s oAuth 2.0
Basic
oAuth 2.0
Shall be used for POS integrations where API requests come to Capillary server directly from POS front end or POS store server
Shall be used for backend to backend integrations e.g. POS integrations where API requests come to Capillary server from API gateway or a central server, FTP integrations where backend service need to be authenticated, 3rd party integration where API requests come to Capillary from a backend platform
Setting up oAuth2.0 API Client
- Generate API Client Credentials:
- Edit/Deactivate API Client
For detailed information, see API Authentication.
Login to Capillary Intouch Portal
Go to Organization Settings
Search for Authentication
Click on New API Client
Enter following details:
Description - Description of integration project
Token expiry duration - maximum 60 minutes
Default till - A till which can be used as fallback to attribute any data operations
Access permissions - Entity wise read/write permissions
Click Done to generate Client Key and Client Secret
Click Copy client secret, as it will not be showed in the UI again
- Edit/Deactivate API Client
Once created, the API Client can be edited or deactivated from Organization Settings.
- Disable Basic Authentication
Basic authentication can be disabled or enabled from the Authentication page in Organization Settings.
Authenticating with Client Credentials
Refer to the API documentation for detailed information.
Generate access token with client credentials.
Generate JWT token by calling token/generate API with client credentials
Sample Request
URL - {URL}/v3/oauth/token/generate
Method - POST
Headers - Not required
Body
{ "key": "WnCygRI1Fmlf6YudKyTxQq1LI", "secret": "2N41LImw48BG6IqXGeZY2XaxW6JLin0AVwQjYTzA" }Response
Case 1 - If client credentials are valid
{ "data": { "accessToken": "eyJraWQiOiJrMSIsImFsZyI6IlJTMjU2In0.eyJpc3MiOiJDYXBpbGxhcnkiLCJleHAiOjE1NzUyNzAyNzAsImp0aSI6IjJaX2FqUjcwYzJABChVUjlDVTVpUlEiLCJpYXQiOjE1NzUyNjk5NzAsInN1YiI6Im5hbWVfODQzNjIwODIwMSIsImNsaWVudF9pZCI6MjEsIm9yZ19pZCI6MTExNSwidG9rZW5fdXNlIjoidG9rZW5fYWNjZXNzIn0.Ala1-XTDlPtrHFQfCtJKsXe3h_WVyq4QOGI3ZnLNJqOa-<span class="fr-marker" data-id="0" data-type="false" style="display: none; line-height: 0;"></span><span class="fr-marker" data-id="0" data-type="true" style="display: none; line-height: 0;"></span>yJc1UPGbypUysWemzEaiQC_BJ0n9G68SYkVZGi4CSVOhHRNA_dILe8y1Sa90YZKwHVHogJmIKzLmksJrTbjn8s8hSMePBaaUcEdUZ1XssxdFrZhEHHN1fWVYtkdb74PB3sZ7OMDqKUysON8YTNQxLgKOJ3kq0o2QUUDQo1q3gxXFuswate6-jj3oBkcdd1ohhXkPIWZlAb_1lRcLr-ECaaBfh473gayeMVV_6khdKJ7cXrUQ3CXppkrPIzBb7rS6I93iWZw0IlmWbaGduTmPPOhLX6HZLOb84Y28st-cw", "ttlSeconds": 300 }, "errors": null }Case 2 - If client credentials are invalid
{ "data": null, "errors": [ { "code": 320001, "message": "Invalid client key and secret" } ] }Request API with Access Token
Call any API with JWT token using the header “X-CAP-API-ATTRIBUTION-TILL”
Till code can be passed in the header “X-CAP-API-OAUTH-TOKEN”, else default till will be used to mark any data writes and updates.
Sample Request
URL - {URL}/v1.1/customer/add?format=json
Method - POST
Headers
X-CAP-API-ATTRIBUTION-TILL: “blr.koramangala.till001”
X-CAP-API-OAUTH-TOKEN : "eyJraWQiOiJrMSIsImFsZyI6IlJTMjU2In0.eyJpc3MiOiJDYXBpbGxhcnkiLCJleHAiOjE1NzUyNzEwMjgsImp0aSI6Im9aczQyNUtUVF93SGFtYVFXdnZFQ1EiLCJpYXQiOjE1NzUyNzA3MjgsInN1YiI6Im5hbWVfODQzNjIwODIwMSIsImNsaWVudF9pZCI6MjEsIm9yZ19pZCI6MTExNSwidG9rZW5fdXNlIjoidG9rZW5fYWNjZXNzIn0.twzL9DRws-8C6XfBf3pzu5KpBtvIhoL1Wq2VbLHFYpT032s23QnN2oHGEtQ-rjYgEalpytMK-lsnAl0fqJTpHdbR0lAB_sqQT4EQWAlC1ysbZTEaL7JBMHYxVprZsWWsSDdizgglr35hSq6tKlkID2onDkkZyAgS2CpZUfCArsacXsPB4RhCNGW-dYTdQ2chiGczCU12yBkd0qNEeduSm7BgCHPcimmTqHy91DvQ8sGLluj0XkJ7dq2xfM5FPbnHQJivbW8ku1L5ow4yxiA6IxjLrgeUNwyydIBG4JPL3it3jDuHY_2_1129crlWtsMR1zztWNaT4eh1EMJnNMivdg"
Body
{ "root": { "customer": [ { "mobile": "91700000000", "email": "tom.sawyer@example.com", "external_id": "XYPZ001", "firstname": "Tom", "lastname": "Sawyer" } ] } }Response
Case 1 - If access token is valid
{ "response": { "status": { "success": "true", "code": "200", "message": "SUCCESS" }, "customers": { "customer": [ { "user_id": "XXXXXXXX", "mobile": "91700000000", "email": "tom.sawyer@example.com", "external_id": "XYPZ001", "registered_on": "2019-09-11 11:11:11", "item_status": { "success": "true", "code": "1000", "message": "Customer Registration Successful" } ] } } }Case 2 - If token is invalid
{ "response": { "status": { "success": "true", "code": "401", "message": "Unauthorized" }, “customers” : null }Case 3 - If token is expired
{ "response": { "status": { "success": "true", "code": "498", "message": "Token expired at 2019-12-02T12:31:15.000+0530"" }, “customers” : null }Case 4 - If token is valid but does not have access to the requested resource
{ "response": { "status": { "code": 403, "message": "Client doesn't have access to the requested resource", "success": false, "warnings": { "warning": [] } } } }Regenerate New Token on Token Expiry
If API response gives error code 498, token need to be generated again.