OAuth

this guide is designed for developers who aim to connect to the invoiced api with oauth 2 0 authentication oauth is a secure, industry standard protocol for authorization by the end of this document, you'll be equipped with the knowledge to implement oauth authentication for interacting with the invoiced api, ensuring secure access to your users' invoiced data prerequisites before you start, ensure you have the following an active invoiced account access to the invoiced dashboard to create oauth credentials a development environment capable of sending http requests and handling responses if you are building an application in the sandbox environment then change all urls from "invoiced com" to "sandbox invoiced com" step 1 register your application to use oauth authentication, you must first register your application in the invoiced dashboard this process will provide you with the client id and client secret necessary for the oauth flow log in to your invoiced account navigate to the settings > developers page look for the oauth applications section register a new oauth application fill in the required fields, such as the application name, and the callback url the callback url is where the oauth server will redirect after successful authentication save your application after registration, you will receive a client id and client secret keep these credentials safe; they are crucial for the oauth flow step 2 implementing oauth flow oauth authentication typically involves the following steps authorization request direct the user to the invoiced authorization url, where they will log in and grant your application permission to access their account access token request after authorization, use the provided authorization code to request an access token api request use the access token to make authenticated requests to the invoiced api 2 1 authorization request direct the user to the invoiced authorization endpoint append the following query parameters response type this should be code client id the client id obtained during application registration redirect uri the same callback url you provided during registration scope the permissions your application requires this value should be set to read write or read state to prevent csrf attacks, add a unique token to confirm when the user returns to your website this is optional example authorization url https //invoiced com/oauth/authorize?response type=code\&client id=your client id\&redirect uri=your callback url\&scope=read write\&state=your state value 2 2 access token request once the user authorizes your application, they will be redirected to your redirect uri with a code parameter use this code to request an access token by sending a post request to the invoiced token endpoint with the following parameters grant type this should be authorization code code the authorization code you received redirect uri your callback url client id your client id client secret your client secret example request using curl curl x post https //invoiced com/oauth/access token \\ d "grant type=authorization code" \\ d "code=authorization code" \\ d "redirect uri=your callback url" \\ d "client id=your client id" \\ d "client secret=your client secret" example response { "token type" "bearer", "expires in" 3600, "access token" "eyj0exaioijkv1qilcjhbgcioijsuzi1nij9 eyjhdwqioijcvuhztgjtuwfem3bomxl5qvvjqthwsdgilcjqdgkioijmndkxmjzhngyzzwewmtbln2q1yzaxmju3oti4mdmynmnim2m0zwvmm2zlzjq4odq0nmqzzwi1yzg0mtczytdimgi3nwe4otcxmgvkzddmocisimlhdci6mtcwotc1mty5ms41nty1mdmsim5izii6mtcwotc1mty5ms41nty1mdqsimv4cci6mtcwotc1nti5mswic3viijoidgvuyw50oje2nyisinnjb3blcyi6wyjyzwfkx3dyaxrlil19 mphadptaxfckji8gagmd8pzo4jyrm8rwhqtvvy3crn059hws93tbvvmo cdi2u7x 41rxnyzuu1nvjwluyan4dgypvzixejax0m6yl3r5zcagzypt7qg0ug0qlzntdhub6ulrduvh7rfohap9ski8 phsllr8pqjmvmww0fgakdv6ps7zkg40tzb82dafqw0e68inpi 0ljoxwjohyuie9xynassbygds qb7pceehx0ilinjaskgoqid9kyf4xvqc giuod4tmddpsfohmgzwhd2g6t8jeup5at5kma7a02gqrzgfps4k62tperuxbrtckpy0wejewjtcgke3yzqq", "refresh token" "def502001fed8138e0aeb923c7f48b95f3ac06c85f1e72a4088b98afff042bf7c29b8487460589d572099edec37efae588ddab243a86e99b29d2bbab81461b89f552ea05a81d197039af0a92f80f79b5f6a7cc99d927f9e877196706653cda61e25d59b95f9dd29599f75f907354cec86590edc96d21a223986433f4c04997549434b3bdf010d572244b9bc9b985678d07a096571b8630c9581c0226d5274b910dc89e9ef64c51ff00bb35a780ace37e10b2c266c26aadd29054394be2629805f2023a7386e98f9fd68c8fb3300f59ee7f99641606c5ade3ae64e2c5c3dd245e380086b529f72f655d14ab29c777ca658c78584dba1a13ef84378648f05bf2bf72b26c036f69147a6859475cc4a4f2f8d7f17162be98d48a98f35c883f98c04f97edd746935543ab519be370f5716788b7918db0270ec233cf6620d822f00a8e55a074a40056be43935d813d3bd9e490186a2c2f99e919926cf67cc0561bcca8879e18ca95fd5c1c579e7e46bd305cc331b4ec77ec39c97722cdb2a27d50add9ee91f739792f4ca33a22ee215e572d" } 2 3 api request use the access token obtained in the previous step to make authenticated api requests the access token must be included in the authorization header as a bearer token example request using curl curl h "authorization bearer your access token" \\ https //api invoiced com/invoices step 3 handling refresh tokens access tokens are short lived for security reasons when an access token expires, use the refresh token (received along with the access token) to obtain a new access token without requiring the user to re authorize your application send a post request to the token endpoint with grant type this should be refresh token refresh token the refresh token you received example request for a refresh token curl x post https //invoiced com/oauth/access token \\ d "grant type=refresh token" \\ d "refresh token=your refresh token" \\ d "client id=your client id" \\ d "client secret=your client secret" conclusion by following these steps, you can securely connect to the invoiced api using oauth authentication this method ensures that your application can access only the data it is explicitly granted permission to, providing a secure and user friendly way to integrate with invoiced services remember to keep your client id and client secret secure, regularly update your application's security practices, and adhere to the oauth standard to maintain a secure integration with the invoiced api