Authentication
- 14 Jul 2023
- 5 Minutes to read
- Print
- DarkLight
Authentication
- Updated on 14 Jul 2023
- 5 Minutes to read
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Authentication
API_key Authentication
For each method call, you must use your email and API_KEY.Authentication to the API is done via HTTP Basic Auth.Provide your email as the basic auth username and API_KEY as the password. You must authenticate for API requests.Even though we still support this type of authentication, we recommend using Oauth authentication.
When using API key to call the interface, you need to bring the parameter siteId.
For Example: GET https://api11.comm100.io/v4/livechat/campaigns?siteId=10000
Refer to this guide on How to get API Key and call API with API Key authentication
Oauth Authentication
You can use OAuth2 to authenticate all your API requests to Comm100. OAuth provides a more secure way for your application to access your account data without requiring sensitive information like email and password to be sent with the requests. There are different OAuth flows for different types of API.
Note that while generating an access token, the API request should start with your platform domain, which is different from other API requests. For example:
- If your Control Panel domain is dash11.comm100.io, the API request should start with https://dash11.comm100.io/.
- If your Control Panel domain is dash12.comm100.io, the API request should start with https://dash12.comm100.io/.
- If your Control Panel domain is dash13.comm100.io, the API request should start with https://dash13.comm100.io/.
- If your Control Panel domain is dash15.comm100.io, the API request should start with https://dash15.comm100.io/.
- If your Control Panel domain is dash17.comm100.io, the API request should start with https://dash17.comm100.io/.
How to get the access token?
By Password
The Password grant is used when the application exchanges the user’s username and password for an access token. This is exactly the thing OAuth was created to prevent in the first place, so you should never allow third-party apps to use this grant.
The latest OAuth 2.0 Security Best Current Practice spec actually recommends against using the Password grant entirely, and it is being removed in the OAuth 2.1 update.
Using curl
POST oauth/token
Params:
| Name | Type | Required | Description |
|---|---|---|---|
email | string | yes | Email of the agent account. |
password | string | yes | Password of the agent account. |
grant_type | string | yes | Specify password as the value. |
client_id | string | yes | ClientId of the oauth client. Go to the control panel / global settings / security/ OAuth Client / Edit OAuth client page to get the client_id. |
Example
Sample Request:
curl https://dash11.comm100.io/oauth/token \
-X 'POST' \
-H 'Content-Type: application/x-www-form-urlencode' \
-D 'grant_type=password&email={comm100_agent_email}&password={comm100_agent_password}&client_Id={comm100_oauthClient_clientId}'
Response:
HTTP/1.1 200 OK
{
"access_token":"vQAQmLX8jvtsG71ItN2QAisqI_F7cDIE0yaX0FfS3RX6g-HR4gfHSVMaOukomYJiJX0Q",
"token_type":"bearer",
"expires_in":43199,
"refresh_token":"91a728cdd4c64fb7b128f74f4855c3daee44167ef60542a2b45c21e16373ed02"
}
Authorize
The authorization code is a temporary code that the client will exchange for an access token. The code itself is obtained from the authorization server where the user gets a chance to see what the information the client is requesting, and approve or deny the request.
Using curl
GET /oauth/authorize
Params:
| Name | Type | Required | Description |
|---|---|---|---|
client_id | string | yes | ClientId of the oauth client. Go to the control panel / global settings / security/ OAuth Client / Edit OAuth client page to get the client_id. |
redirect_uri | string | yes | The redirect URI in the token request must be an exact match of the redirect URI (host & path) that was used when generating the authorization code. The service must reject the request otherwise. |
response_type | string | yes | Specify code as the value. |
code_challenge | string | yes | Now that the client has a code challenge string, it includes that and a parameter that indicates which method was used to generate the challenge (plain or S256) along with the standard parameters of the authorization request. |
code_challenge_method | string | yes | plain or S256 |
siteId | string | yes | site id. |
Example
Sample Request:
curl https://dash11.comm100.io/agentconsole/authorize \
-X 'GET' \
-H 'Content-Type: application/json' \
-D 'client_Id={comm100_oauthClient_clientId}&response_type=code&redirect_uri=https%3A%2F%2Fdash11.comm100.io%2Fauthed&code_challenge=xxxxxxxx&code_challenge_method=S256&siteId=10000'
Response:
HTTP/1.1 302 Redirect
Location: https://dash11.comm100.io/agentconsole/authorize?code=xxxxxxxx&siteId=10000
The authorization server should recognize the code_challenge parameter in the request, and associate that with the authorization code it generates. Store this in the database along with the authorization code. The server returns the authorization code as normal, and does not include the challenge in the data returned.
By authorization_code
The authorization code grant is used when an application exchanges an authorization code for an access token. After the user returns to the application via the redirect URL, the application will get the authorization code from the URL and use it to request an access token. This request will be made to the token endpoint.
Using curl
POST oauth/token
Params:
| Name | Type | Required | Description |
|---|---|---|---|
code | string | yes | This parameter is the authorization code that the client previously received from the authorization server. |
redirect_uri | string | yes | The redirect URI in the token request must be an exact match of the redirect URI (host & path) that was used when generating the authorization code. The service must reject the request otherwise. |
grant_type | string | yes | Specify authorization_code as the value. |
code_verifier | string | yes | If the client included a code_challenge parameter in the initial authorization request, it must now prove it has the secret used to generate the hash by sending it in the POST request. This is the plaintext string that was used to calculate the hash that was previously sent in the code_challenge parameter. |
client_id | string | yes | ClientId of the oauth client. Go to the control panel / global settings / security/ OAuth Client / Edit OAuth client page to get the client_id. |
Example
Sample Request:
curl https://dash11.comm100.io/oauth/token \
-X 'POST' \
-H 'Content-Type: application/json' \
-D '{
"client_id": "xxx",
"code_verifier": "test",
"grant_type": "authorization_code",
"code": "eyJhbGciOiJodHRw..",
"redirect_uri":"https://dash11.comm100.io/agentconsole/authorize"
}'
Response:
HTTP/1.1 200 OK
{
"access_token": "eyJhbGciOiJodHRwOi8vd3d3...",
"refresh_token": "eyJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8y...",
"token_type": "Bearer",
"expires_in": 43200
}
Refresh token
Using curl
POST oauth/token
Params:
| Name | Type | Required | Description |
|---|---|---|---|
client_secret | string | yes | The secret to authenticate the client.Go to the control panel / global settings / security/ OAuth Client / Edit OAuth client page to get the secret. |
refresh_token | string | yes | The refresh token previously issued to the client.Response from the interface of get the access token. |
grant_type | string | yes | Specify refresh_token as the value. |
client_id | string | yes | ClientId of the oauth client. Go to the control panel / global settings / security/ OAuth Client / Edit OAuth client page to get the client_id. |
Example
Sample Request:
curl https://dash11.comm100.io/oauth/token \
-X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'client_id=xxx' \
--data-urlencode 'refresh_token=eyJhbGciOiJodHRwOi8v...' \
--data-urlencode 'client_secret=c8ebc...'
Response:
HTTP/1.1 200 OK
{
"access_token": "eyJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxctbW......",
"refresh_token": "eyJhbGciOiJodHRwOi8vd3d3LnczLm9yZ.....",
"token_type": "Bearer",
"expires_in": 43200
}
Refer to this Guide on How to call API with Oauth authentication
Was this article helpful?