Authorization Flows Edit the file on GitHub
Table of Contents
Generate access_token
The first thing you need to do before any request which requires authorization
is to grab a valid access_token
. Depending on your application's needs you
either need an application token
or a user token
.
Keep in mind that a user token can also be used for accessing public resources as well, taken that it was generated containing the
public
permission in thescope
parameter.
Application Token
An implementation of client-credentials, allowing you to access only public resources.
Expires 2 weeks
upon creation.
The request signature of an application token request (client_credentials
) is
the following:
POST https://www.skroutz.gr/oauth2/token
Name | Type | Value | Required | Description |
---|---|---|---|---|
client_id |
String | Yes | The application client ID supplied by Skroutz | |
client_secret |
String | Yes | The application client secret supplied by Skroutz | |
grant_type |
String | client_credentials |
Yes | The grant type of the request. Value must be client_credentials . |
scope |
String | public |
Yes | Only public permission is allowed in application_tokens |
User Token
It grants access to user resources and is generated in two steps. Expires in a day since its creation.
Step 1 - Get an authorization code
The request signature of an authorization code request is the following:
GET https://www.skroutz.gr/oauth2/authorizations/new
Name | Type | Value | Required | Description |
---|---|---|---|---|
client_id |
String | Yes | The application client ID supplied by Skroutz | |
redirect_uri |
String | Yes | The redirect uri of the application | |
response_type |
String | code |
Yes | The type of the response. Value must be code . |
scope |
String | public , favorites , notifications |
Yes | The space separated set of permissions your application wishes |
If you perform the above request the user will get to see a screen prompting to authorize your application to access the resources you specified in the scope parameter.
Given that the user granted your application the requested permissions, you are then redirected to:
https://your_redirect_uri?code=a_valid_authorization_code
Otherwise you will get redirected to:
https://your_redirect_uri?error=access_denied
Keep in mind that the code will be url-encoded. Please url-decode it before supplying it to the library performing HTTP requests, as the library may url-encode it again, rendering it invalid.
Step 2 - Exchange the authorization code for an oauth_token
and a refresh token
The request signature of an access token request is the following:
POST https://www.skroutz.gr/oauth2/token
Name | Type | Value | Required | Description |
---|---|---|---|---|
client_id |
String | Yes | The application client ID supplied by Skroutz | |
client_secret |
String | Yes | The application client secret supplied by Skroutz | |
redirect_uri |
String | Yes | The redirect uri of the application | |
grant_type |
String | authorization_code |
Yes | The grant type of the request. Value must be authorization_code . |
code |
String | Yes | The authorization code obtained |
If the request was successful, the response contains JSON in the following form:
{
"access_token": "your_access_token",
"refresh_token": "your_refresh_token",
"token_type": "bearer",
"expires_in": 3599
}
Consume access_token
There are 2 ways to specify your access_token
in a request.
1. As a parameter
curl -XGET https://api.skroutz.gr/api/search\?\
q\=apple\&\
oauth_token=your_access_token_here \
-H 'Accept: application/vnd.skroutz+json; version=3'
2. As a header
curl -XGET https://api.skroutz.gr/api/search\?q\=apple \
-H 'Accept: application/vnd.skroutz+json; version=3' \
-H 'Authorization: Bearer your_access_token_here'
Mind not to use both ways at the same time.
Renew access_token
Any API call with an expired access_token
receives an HTTP 401 Unauthorized
response.
Application Token
If your application token you're using gets expired you have to get a new one in the exact way you got the last one.
POST https://www.skroutz.gr/oauth2/token
Name | Type | Value | Required | Description |
---|---|---|---|---|
client_id |
String | Yes | The application client ID supplied by Skroutz | |
client_secret |
String | Yes | The application client secret supplied by Skroutz | |
grant_type |
String | client_credentials |
Yes | The grant type of the request. Value must be client_credentials . |
scope |
String | public |
Yes | Only public permission is allowed in application tokens |
The above request will respond with an existing or a new application token. Notice that in this case you don't need to exchange a refresh token for an application token.
User Token
When a user token gets expired you need to exchange the refresh token you've been given for a new valid token.
POST https://www.skroutz.gr/oauth2/token
Name | Type | Value | Required | Description |
---|---|---|---|---|
client_id |
String | Yes | The application client ID supplied by Skroutz | |
client_secret |
String | Yes | The application client secret supplied by Skroutz | |
refresh_token |
String | Yes | The refresh_token obtained in an earlier step |
|
grant_type |
String | refresh_token |
Yes | The grant type of the request. Value must be refresh_token . |