Authorization ...
Authorization is required via the oAuth2 standard.
Currently we support the Authorization grant type only. We may introduce other methods as time goes on.
Actionstep requires the use of the scope argument, which is set to each resource that you want to access, for example: scope: "timerecords actions participants". This can either be set server side or on a request-by-request basis. Before granting access to your system the user will be shown the scope you are requesting so they understand what data you will have access to.
The API grants access on a system user basis, so your API methods will only ever have access to the records which the user already has access to. Also all activity using that access token will be logged under the user who authorized it.
This scope also determines the output of the API resources, so you will only get data which is available to the scopes you request.
All access tokens have a 30 minute lifespan and can easily be renewed via the oauth2 token endpoint using a refresh token which has a 14 day lifespan (TBC).
Our oauth2 endpoints are:
https://api.actionstep.com/api/oauth/authorize
https://api.actionstep.com/api/oauth/token
We currently only support the bearer oauth token authorization method, which is easily used when requesting data via the header: "Authorization: Bearer {accesstoken}"
For more information, see the oauth2 documentation.