Here’s what you need to know to authenticate with the Daxko API!
Get API Access
If you haven’t already been granted access to the Daxko Operations API, you should contact your sales representative and request access. Once this step has been done, you should have a username, password and refresh token for your API account. You will need this information to authenticate to the API.
Authentication Workflow
The authentication workflow comprises of two steps:
- Use your refresh token to get a client-scoped access token
- Use the client-scoped access token to access resources
For each step, the
Authorizationheader must be present.
Get client-scoped access token
So you’ve been granted access to the Daxko API! Let’s pretend you were given the following credential information for illustration purposes.
| Daxko Credential name | Value |
|---|---|
| username | daxko_api_user |
| password | d9a2652cf96d734661c10d5ff2f8061f |
| refresh_token | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9… |
The refresh_token can only be used for the
/v3/partners/oauth2/tokenendpoint. In order to access other endpoints in the Daxko API, you will have to use the access token returned from the/v3/partners/oauth2/tokenendpoint in place of the refresh_token.
What you will do is use the refresh_token to generate an access_token that is scoped to a particular Daxko Client, e.g., client with ID 9999. This access_token will be used for other API resources and will restrict the data return from the API to only data for the particular Daxko client. In order to get this access token we need to request it from the /v3/partners/oauth2/token API endpoint.
The /v3/partners/oauth2/token endpoint is an OAuth 2 endpoint that supports the client_credentials flow, and because of that, the parameter names for the endpoint are not named the same as your credentials. Use the following mapping to determine what values to use for the input parameters.
| OAuth2 parameter name | Daxko credential name | Example |
|---|---|---|
| client_id | username | daxko_api_user |
| client_secret | password | d9a2652cf96d734661c10d5ff2f8061f |
| scope | client:9999 |
|
| grant_type | always client_credentials |
An example curl request would be
curl -XPOST {base_url}/v3/partners/oauth2/token \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
-F "grant_type=client_credentials" \
-F "client_id=daxko_api_user" \
-F "client_secret=d9a2652cf96d734661c10d5ff2f8061f" \
-F "scope=client:9999"
To make an API request to the
/v3/partners/oauth2/tokenendpoint, the refresh_token must be present in theAuthorizationheader, and have the formatAuthorization: Bearer <refresh_token>
The response body will return an access_token that is scoped to the client you specified with the scope body parameter, along with an expiration time in seconds indicating how long the token is valid. An example response would be
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"expires_in": "86400",
"token_type": "bearer"
}
The access_token will replace the refresh_token in the Authorization header for
requests to API resources other than the /v3/partners/oauth2/token endpoint.
This
access_tokenwill be valid the time elapses as specified in theexpires_inresponse parameter, at which point you will need to request a newaccess_tokenby following the same steps above. The Daxko API will respond with aHTTP 401status when theexpiration_timestamphas elapsed. Your application should watch for this response, and request a newaccess_tokenwhen that response is returned.sl
Access API resource
Now that you have a time-limited, client-scoped access token, you are able to access
any endpoint. The only authentication requirement is that the Authorization header
be present and have the format
Authorization: Bearer <access_token>
Note, this is the
access_tokenvalue returned from the/v3/partners/oauth2/tokenendpoint, NOT therefresh_tokenprovided to you as part of your API account credentials.
Now, you are able to access other resources, such as the /v3/members/oauth2/token resource, for example, with the following curl request
curl -XPOST {base_url}/v3/members/oauth2/token \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc..." \
-d '
{
"username": "member_name",
"password": "member_password",
"grant_type": "password",
"scope": "member:auto_login"
}'
Securing your access token: The
access_tokenshould always be secured on your server and not be sent to a web browser or mobile device. If an attacker gains access to youraccess_token, then the attacker would have full access to every API call documented on this site.