OAuth
OAuth2 is a protocol that lets external apps request authorization to private details in a user's Restyaboard account without getting their password. This can be revoked by users at any time.
Before getting started, developers need to create their application in Restyaboard admin side. A registered OAuth application is assigned a unique Client ID and Client Secret. The Client Secret should not be shared. You may create a personal access token for your own use or implement the web flow below to allow other users to authorize your application.
Web Application Flow
This is a description of the OAuth2 flow from 3rd party web sites.
1. Redirect users to request GitHub access
GET /oauth/authorize
Parameters
| Name | Type | Description |
|---|
response_type | string | Required. The response type value is "code" |
client_id | string | Required. The client ID you received from Restyaboard. |
redirect_uri | string | Required. The URL in your app where users will be sent after authorization. |
scope | string | Required. The scope value is "read write" |
state | string | Required. An unguessable random string. It is used to protect against cross-site request forgery attacks. |
2. This Restyaboard redirects back to your site
If the user accepts your request, Restyaboard redirects back to your site with a temporary code in a code parameter as well as the state you provided in the previous step in a state parameter. If the states don't match, the request has been created by a third party and the process should be aborted.
Exchange this for an access token:
POST /api/v1/oauth/token.json
You have to set authorization basic for all API calls like shown below.
Authorization: Basic client_id:client_secret
Parameters
| Name | Type | Description |
|---|
code | string | Required. The code you received as a response to Step 1. |
redirect_uri | string | Required. The URL in your app where users will be sent after authorization. |
state | string | Required. The unguessable random string you optionally provided in Step 1. |
Response
By default, the response will take the following form:
{"access_token":"xxxxxxxx", "expires_in":3600, "token_type":"Bearer", "scope":"read", "refresh_token":"xxxxxxxx"}
3. Use the access token to access the API
The access token allows you to make requests to the API on a behalf of a user.
GET http://board.demo.restya.com/api/v1/boards.json?token=...
You can pass the token in the query params like shown above.
You have to set authorization basic for all API calls like shown below.
Authorization: Basic client_id:client_secret
Webhooks
Webhooks allow you to build or set up integrations for each activities on Restyaboard. When any activity is triggered, we'll send a HTTP POST payload to the webhook's configured URL. Webhooks can be used to update an external applications.
Currently webhook can be add through API only.
![[Image: Restya]](/images/logo.png "Restya"){kind=logo}