Sendbox API authentication for integrating with your application.
Kindly note that you are to use staging url for all your test request. Be sure to change them to live when you are done with development.
- When creating this app, some fields are required.
Name: Your App Name
Description : A breif description about your app
Redirect URI : A url that sendbox will post your app code to so you
can make a request to oauth endpoint.
You can create more than one Redirect URI.
Congratulations, You have succesfully created your app.
You can store your keys somewhere and then proceed to how you can get your refreash token in this part of the docs.
Let's assume you are building a multi-vendor site this means you have different sellers on your store so shipment will come from differnet accounts. follow the steps below on the complete Oauth flow.
- Once this is done, you will be given your app id and a secret.
- Create your redirect url. This is the url you are supposed to redirect your users to after they have given you access to their account.
- Build a senbox url with the app Id ,redirect url, and the client secret. Also add the scopes (I.e permissions you need access to like profile, shipping, payment etc)
- Then make a get request to access token endpoint with all these parameters as path parameters then your access token is returned in the response.
All these steps are explained in details below. Including steps required of your users.
When someone is logged into your app, and you want to access their Sendbox data, you can use the login dialog to prompt them to do both. If they aren't logged into Sendbox, they will be prompted to login and then redirected back to your app. This is automatically detected, so you don't need to do anything extra to enable this behavior.
Your app must initiate a redirect to an endpoint which will display the login dialog:
This endpoint has the following required parameters:
The ID of your app, found in your Sendbox dashboard.
The URL that you want to redirect the person logging in back to. This URL will capture the response from the Login Dialog
A string value created by your app to maintain state between the request and callback. This parameter should be used for preventing Cross-site Request Forgery and will be passed back to you, unchanged, in your redirect URI
For example, if your login request looks like:
Then your redirect URL would be called with this:
At this point in the login flow, the person will see the Login dialog and will have a choice of whether to cancel or to let the app access their data.
If the person using the app chooses OK on the Login dialog, they grant access to their public profile, friend list and any additional Permissions your app requested.
Because this redirect flow involves browsers being redirected to URLs in your app from the Login dialog, traffic could directly access this URL with made-up fragments or parameters. If your app assumed these were valid parameters, the made-up data would be used by your app for potentially malicious purposes. As a result, your app should confirm that the person using the app is the same person that you have response data for before generating an access token for them. Confirming identity is accomplished in different ways depending on the
When code is received, it has to be exchanged for an access token using an endpoint. The call will need to be server-to-server, since it involves your app secret. (Your app secret should never end up in client code.)
As this API call requires using an app access token, never make this call from a client. Instead make this call from a server where you can securely store your app secret.
To get an access token, make an HTTP GET request to the following OAuth endpoint:
Get Access Token
Refresh token comes back in the response for access token. You are advised to save this refresh token somewhere. It will be used to get a new access token when your access token expires. To do this, you pass refresh token in header and do a get request to oauth end point again this will return a new access token.
Refresh token is only used when the access token expires.
when you call the refresh endpoint you get a new access_token and a new refresh_token you're expected to save both as the initial refresh token you use when making the request expires after use.
Get New Access Token
This app secret should never be included in client-side code or in binaries that could be decompiled. It is extremely important that it remains completely secret as it is the core of the security of your app and all the people using it. code. The parameter received from the Login Dialog redirect above.