Authorization is required via the OAuth2 standard.
Currently we support the Authorization grant type only, but we may introduce other methods as time goes on.
Actionstep requires the use of the scope argument, which represents each resource that the client wishes to access. For example the scope may be: "timerecords actions participants". This can either be set server side or on a request-by-request basis. Before granting access to the client system the end user will be shown the scope the client is requesting access for so that the end user may understand what data they will be exposing to the client.
The API grants access on a system user basis, so API methods available to the client will be limited by the end user's native access. Also all activity using that access token will be logged under the user who authorized it.
Scope also determines the output of the API resources, so the client will only receive data which is available to the scopes requested.
All access tokens have a 30 minute lifespan and can easily be renewed via the OAuth2 token endpoint using a refresh token which has a 14 day lifespan.
Our OAuth2 endpoints are:
https://api.actionstep.com/api/oauth/authorize
https://api.actionstep.com/api/oauth/token
We currently only support the Bearer oauth token authorization method, which is easily used when requesting data via the header: "Authorization: Bearer {accesstoken}"
For more information, see the oauth2 documentation.