Authentication
Applications must be registered and enabled. This can be done from the iCoStaffTime Settings -> Integrations -> Applications.
Online access
Sign into and authorise the registered application for time limited access:
https://www.icostafftime.com/auth/authorize?response_type=token&scope=read+write&client_id=CLIENT_ID
Once authorisation is granted, the browser will be redirected back to the registered URL for this client_id with the following URL query parameters:
- access_token - to access the iCoStaffTime API
- expires_in - number of seconds the access_token is valid for
- scope - the scope authorised by the user
- token_type - the type of token e.g. “Bearer”
- organisation_id - the organisation_id that the user granted the application access for
If there is an error, such as access to the application not being granted, the browser will be redirected back to the registered URL for this client_id with the following URL query parameters:
- error
- error_description
Offline access
Sign into and authorise the registered application for access:
https://www.icostafftime.com/auth/authorize?response_type=code&scope=read+write&client_id=CLIENT_ID
Once authorisation is granted, the browser will be redirected back to the registered URL for this client_id with the following URL query parameter:
- code - use to fetch access and refresh tokens
If there is an error, such as access to the application not being granted, the browser will be redirected back to the registered URL for this client_id with the following URL query parameters:
- error
- error_description
Access and refresh tokens can then be obtained by the application for offline access by performing an HTTP POST using the provided code
.
Additionally the organisation_id
that was approved for access by the user is included in the JSON response.
$ curl -X POST --user CLIENT_ID:CLIENT_SECRET \
"https://www.icostafftime.com/auth/token?grant_type=authorization_code&code=CODE"
{
"access_token": "XXXXX",
"expires_in": 1800,
"refresh_token": "XXXXX",
"scope": "read write",
"token_type": "Bearer",
"organisation_id": "XXXXX"
}
When the access_token token expires, a new one can be obtained by performing an HTTP POST using the previously issued refresh_token
.
The previously issued refresh_token
will no longer be valid and the new one returned in the JSON response must be used for the next refresh_token call.
$ curl -X POST --user CLIENT_ID:CLIENT_SECRET \
"https://www.icostafftime.com/auth/token?grant_type=refresh_token&refresh_token=REFRESH_TOKEN"
{
"access_token": "XXXXX",
"expires_in": 1800,
"refresh_token": "XXXXX",
"scope": "read write",
"token_type": "Bearer"
}