Authorization is required via the OAuth2 standard. For more information see the OAuth2 documentation and RFC 6749.
Grant Types
Currently we support , Actionstep supports the Authorization grant type only, but we may introduce other methods as time goes on.at later dates.
Scope
Actionstep requires the use of the scope argument, which represents each resource that the client wishes to access. For example the scope may be:
Requests access to the time records, actions and participants resources
"timerecords actions participants"
...
The scope can either be set server-side or on a request-by-request basis. Before granting access to the client system, the end user will be shown the scope the for which client is requesting access for . This is done so that the end user may understand what data they will be exposing to the client and has the opportunity to decline the request.
The API grants allows access on a system end user basis, so the API methods resources available to the client will be limited by the end user's native access . Also all activity using that access token will be logged under the user who authorized it.
Scope also determines the output of the API resources, so the client will only receive data which is available to the scopes requested.
All access tokens settings. Furthermore, data returned by any request will also be limited by the end user's native access settings. Activity in Actionstep via the API will be logged against the authorizing end user.
Tokens
All Access Tokens have a 30 minute lifespan and can easily be renewed via the OAuth2 token endpoint by using a refresh token Refresh Token which has a 14 day lifespan.
Our OAuth2 endpoints are:
We currently only support the Bearer oauth token authorization method, which is easily used when requesting data via the header: "Authorization: Bearer {accesstoken}"
For more information, see the oauth2 documentation.