Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Excerpt
This page describes the authorization process of third-party Apps with VoipNow.

Table of Contents
maxLevel3

...

Access tokens obtained from VoipNow become valid as soon as they are received and can be used in API requests. Access tokens are only valid for 2 hours1 hour. After 2 hours1 hour, the access token is expired and the App must request another token or or refresh it.

Obtain authorization

...

The App redirects the user to the server authorization endpoint. The App must make a HTTP POST or GET request to the authorization endpoint located at https://<hostname>/oauth/authorize.php. When making the request, the header Content-Type must be set to application/x-www-form-urlencoded and the body must contain the Request Parameters listed in the table below:

NameRequiredDescription
response_typeYesAlways set to code.
redirect_uriYes

URI where the system sends the response.

Must be URL encoded if it's sent in the query parameters.

client_idYesApp Key as generated by the system at registration time.
stateYes

Parameter to be used by the App to verify if the response received from the system is valid.

Should be a random string of minimum 16 characters.

The following example shows how to make a POST request to the authorization endpoint:

...

The App must request an access token. Using the authorization code received in the previous step, the App must make a HTTP POST request to the token endpoint located at https://<hostname>/oauth/token.php. When making the request, the header Content-Type must be set to application/x-www-form-urlencoded and the body must contain the Request Parameters listed in the table below:

NameRequiredDescription
grant_typeYesAlways set to authorization_code
codeYesThe code received in STEP 4.
redirect_uriYesURI where the system returns the response.
client_idYesApp Key as generated by the system at registration time.
client_secretYes

App Secret as generated by the system at registration time.

Can be missing if sent in the Authorization header.

The following example shows how to make a POST request to the token endpoint:

...

Code Block
titleHTTP Response
HTTP 1.1 200 OK
...

{
 "access_token":"1|5~2wKMPg9h~GExN3s01-7wX2XmLI_Xbz|1|1345716093|O_XQYdHR0P-xMvqbVsh_OwRH7GT4.FtR",
 "expires_in":72003600,
 "token_type":"bearer",
 "refresh_token":"9_s2TBCQ1y.PPzVNXkT-Gff6tB9z_bqr"
 } 

...

The App requests an access_token. It makes a HTTP POST request to the token endpoint located at https://<hostname>/oauth/token.php. The request URI is made using the following parameters in the body and it uses the application/x-www-form-urlencoded format. The Request Parameters are listed in the table below:

NameRequiredDescription
grant_typeYesAlways set to client_credentials
client_idYesApp Key as generated by the system at registration time.
client_secretYes

App Secret as generated by the system at registration time.

Can be missing if it's sent in the Authorization header.

Note

Client authentication is performed as described in the OAuth standard: https://tools.ietf.org/html/rfc6749#section-2.3. This means that the client_id and client_secret parameters can be sent in the Authorization header or in the body of the request.

...

The App requests an access_token. It makes a HTTP POST request to the token endpoint located at https://<hostname>/oauth/token.php. The request URI is made using the following parameters in the body and it uses the application/x-www-form-urlencoded format.

NameRequiredDescription
grant_typeYesAlways set to refresh_token
client_idYesApp Key as generated by the system at registration time.
client_secretYes

App Secret as generated by the system at registration time.

Can be missing if it's sent in the Authorization header.

refresh_tokenYesThe refresh token received in STEP 6 (The Request User Permission Section).
Note

Client authentication is performed as described in the OAuth standard: https://tools.ietf.org/html/rfc6749#section-2.3. This means that the client_id and client_secret parameters can be sent in the Authorization header or in the body of the request.

...

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 4.0 International.