Authorization is required via the OAuth2 standard. For more information see the OAuth2 documentation and RFC 6749.
Grant Types
Currently, Actionstep supports the Authorization grant type only, but we may introduce other methods at later dates.
Scope
Actionstep requires the use of the scope argument, which represents each resource that the client wishes to access. For example the scope may be:
Requests access to the time records, actions and participants resources
"timerecords actions participants"
The scope can either be set server-side or on a request-by-request basis. Before granting access to the client system, the end user will be shown the scope for which client is requesting access. This is done so that the end user may understand what data they will be exposing to the client and has the opportunity to decline the request.
The API allows access on a end user basis, so the API resources available to the client will be limited by the end user's native access settings. Furthermore, data returned by any request will also be limited by the end user's native access settings. Activity in Actionstep via the API will be logged against the authorizing end user.
Tokens
All Access Tokens have a 30 minute lifespan and can easily be renewed via the OAuth2 token endpoint by using a Refresh Token which has a 14 day lifespan.
Our OAuth2 endpoints are: