Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Actionstep API Authorization uses the OAuth2 standard. This involves a series of communications between the resource server and the client to ensure the resource owner's identity and information are kept secure..

Authorization is required via the oAuth2 standard.

Currently we support  For more information see the OAuth2 documentation and RFC 6749.

Grant Types

Actionstep supports the Authorization grant type only . We may introduce other methods as time goes on.(other methods may be introduced in the future). The Authorization grant type requires the client to direct the end-user to Actionstep's API authorization page. This will be followed by a second page where the end-user will authorize the client to access their system based on the specified scope.  

Image Added Image Added

Scope

Actionstep requires the use of the scope argument, which is set to represents each resource that you want the client wishes to access, for . For example : the scope may be:

Requests access to the time records, actions and participants resources 

"timerecords actions participants"

...

The scope can either be set server-side, or on a request-by-request basis. Before granting access to your system the the client application, the end-user will be shown the scope you are requesting so they understand what data you will have access to.for which the client application is requesting access. 

The API grants access on a system an end-user basis, so your API methods will only ever have access to the records which the user already has access to. Also all activity using that access token will be logged under the user who authorized it.

This scope also determines the output of the API resources, so you will only get data which is available to the scopes you request.

All access tokens have a 30 the API resources available to the client application will be limited by the end-user's permissions in Actionstep. Activity in Actionstep via the API will be logged against the authorizing end-user.

Tokens

Access Tokens have a 60 minute lifespan and can easily be renewed via the oauth2 OAuth2 token endpoint by using a refresh token Refresh Token which has a 14 21 day lifespan (TBC). A Refresh Token is returned with every Access Token issued.

Our oauth2 OAuth2 endpoints are (for live production systems only):

https://

...

go.actionstep.com/api/oauth/authorize

https://api.actionstep.com/api/oauth/token

We currently only support the bearer oauth token authorization method, which is easily used when requesting data via the header: "Authorization: Bearer {accesstoken}"

For more information, see the oauth2 documentationOur OAuth2 endpoints are (for development systems only):

https://go.actionstepstaging.com/api/oauth/authorize

https://api.actionstepstaging.com/api/oauth/token

Obtaining Actionstep API Credentials

If you would like to connect to the API please contact support@actionstep.com with the details of your proposal. We will evaluate your proposal for suitability and check to see that the API can perform the functions you need. Once approved you will receive your API credentials to a test API environment where you can develop your application. When it is ready for release we will provide you with production API keys. If you require technical assistance during your API development this can be provided on a professional services basis, subject to availability and timing.