Version 2 (OAUTH2)

Authorization flow

The API version 2 implements the OAuth2 authorization framework, enabling secure authentication and authorization to access its resources. This flow has been developed specifically for the Make Academy Custom Apps Development course, aiming to simulate a real-world authentication and authorization process.

Every developer can integrate Custom App Academy API V2 by obtaining up to one app access that involves registration of their application and obtaining client credentials.

To obtain the necessary client credentials (client ID and secret), you can submit the form. If you have previously submitted the form for API version 1, you should already have received the credentials to API version 2 via email.

To provide a realistic user authorization experience, API version 2 includes a feature where users can select the specific account they want to connect with the application. This mimics the behavior seen in real-world applications.

Each app user (John Doe/Jane Black) can have only one active connection. If you generate a new connection, the existing one will be removed.

Step one: Redirect a user to your app

Redirect the user to authorize endpoint. This will prompt the user to allow your application to access the Custom App Academy API on their behalf. You need the user to allow the connect scope to successfully authorize access. To obtain the code parameter to authorize token request, set the response_type to code.

Endpoint to authorize access.

This endpoint enables authorization of your access to API. Minimum scope is 'connect'. Response_type should be 'code'.

GEThttps://app-academy.make.com/api/v2/authorize

Query parameters

Response

Body

codestring

Request

Response

Step two: Handle the callback request

Once a user decides to allow or disallow your application access to their account, Custom App Academy will redirect them to the OAuth2 redirect URL that you set when submitting your form.

If there was an error processing the request, the response will contain an error.message parameter. If the request was successful, the response will contain code parameter.

Step three: Retrieve an access token and refresh token

Use your application client id and client secret together with code from the previous step to issue a request to token endpoint. You must use the same redirect URL in the token request and authorization_code grant type.

A successful request will respond with access_token, expires-in, refresh_token and refresh_expires_in parameters. Expires-in and refresh_expires_in values are in minutes.

Endpoint to retrieve token.

This endpoint retrieves the token.

POSThttps://app-academy.make.com/api/v2/token

Body

code*string

client_id*string

grant_type*string

redirect_uri*string

client_secret*string

Response

Body

access_tokenstring

expires_innumber

refresh_tokenstring

refresh_expires_innumber

Request

Response

Step four: Make an API request

After obtaining the access token, you can send requests to App Academy API that contain the authorization header in this format: Bearer {access_token}.

Endpoint to retrieve info about the connected account.

This endpoint retrieves info about the connected account. Format of authorization: 'Bearer [accessToken]'.

GEThttps://app-academy.make.com/api/v2/info

Header parameters

Response

Body

idstring

userstring

Request

const response = await fetch('https://app-academy.make.com/api/v2/info', {
    method: 'GET',
    headers: {},
});
const data = await response.json();

Response

{
  "id": "d1b03e513fbc5881651d6c149fd259506f975ae1",
  "user": "Jane Doe"
}

Step five: Refresh the access token

The API provides the expires_in parameter in the token response to determine if the user's access token has expired. If it has, use the refresh endpoint to retrieve a new access token and refresh token. Expires-in and refresh_expires_in values are in minutes. To obtain a new access token and refresh token, the refresh token must not be expired!

Endpoint to retrieve a new refresh token.

This endpoint retrieves the refresh token.

POSThttps://app-academy.make.com/api/v2/refresh

Body

client_idstring

grant_typestring

client_secretstring

refresh_tokenstring

Response

Body

access_tokenstring

expires_innumber

refresh_tokenstring

refresh_expires_innumber

Request

Response

Step six: Invalidation of access

If the user wants to invalidate the access of your app to Custom App Academy API, use the invalidate endpoint.

Endpoint to invalidate the access token.

This endpoint invalidates the access token. Format of authorization: 'Bearer [accessToken]'.

GEThttps://app-academy.make.com/api/v2/invalidate

Header parameters

Response

Request

Scopes

API Version 2 provides integration with scopes. Scopes provide a granular level of access control and ensure that users can only access the specific resources they need. The following scopes are supported:

Endpoint	Scope
authorize	connect
any GET endpoint*	read
any POST/PUT/PATCH endpoint	write
any DELETE endpoint	delete

Endpoint

Scope

authorize

connect

any GET endpoint*

read

any POST/PUT/PATCH endpoint

write

any DELETE endpoint

delete

*except for /info endpoint

Endpoints

In API version 2, all the endpoints available in API version 1 are fully supported. To make API calls in version 2, you need to use the URL for API version 2 as well as to ensure proper authorization and scope management by following the instructions provided above.

pageVersion 1 (API key)

PreviousVersion 1 (API key)NextVersion 3

Last updated 9 months ago