oAuth
Below we explained how to integrate with Getreponse API using oAuth2 protocol.
Registering you own Application
If you want to use oauth flow to authorize your application, first thing you need to do, is to register your application at: https://app.getresponse.com/manage_api.html
You need to set a name, short description and a callback url.
Choosing grant flow
If you registered your application you can click on it to see your client_id and client_secret. Those are like login and password for your application, keep them in secret!
Now you must choose which flow of authentication (grant type) you want to use. Here some hint:
- If your application is server based (you have some server with it's own domain and server-side code) then you probably want 'Authorization Code' flow
- If your application is mostly based on javascipt / client side code - you should choose 'Implicit' flow
- If you want to test your application or you want to access only your account on getresponse, then you can choose 'Client Credential' flow.
- If you are using 'Authorization Code' flow you should also implement 'Refresh Token' flow to handle token expiration.
Below are some examples on how those flow's look like.
Example of Authorization Code flow request
First your application must redirect a resource owner to that url:
https://app.getresponse.com/oauth2_authorize.html?response_type=code&client_id=_your_client_id_&state=xyz
State parameter is there for security reason. After resource owner agrees on granting your application access to resource we will redirect the browser to redirect url you specify during applicatnio registration, and attach the same state as the parameter. This way you will know that this request is from us. The 'code' parameter is the authorisation_code that should be exchange for the access_token in the next 10 minutes. After that is expires.
https://myredirecturi.com/cb?code=ed17c498bfe343175cd7684c5b09979f2875b25c&state=xyz
This is a request for exchanging authorisation_code for access_token.
curl -u client_id:client_secret https://api.getresponse.com/v3/token
-d 'grant_type=authorization_code&code=ed17c498bfe343175cd7684c5b09979f2875b25c'
Response:
{
"access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35",
"expires_in":3600,
"token_type":"bearer",
"scope":null,
"refresh_token": "170d9f64e781aaa6b3ba036083faba71b2fc4e6c"
}
Example of Client Credential flow request
This flow is the best for development use, when you must quickly get access to API to actually create some functionality. You can obtain the acces_token by:
Request:
curl -u client_id:client_secret https://api.getresponse.com/v3/token -d 'grant_type=client_credentials'
Response:
{
"access_token": "e2222af2851a912470ec33c9b4de1ea3a304b7d7",
"expires_in": 86400,
"token_type": "Bearer",
"scope": null
}
You can also go to the https://app.getresponse.com/manage_api.html page and click action button for your integration and select 'generate resentials'. This will open a popup with access_token ready to use. After that you can use the access_token for standard use of our API, eg:
curl -H "Authorization: Bearer e2222af2851a912470ec33c9b4de1ea3a304b7d7" https://api.getresponse.com/v3/from-fields
Example of Implicit credential flow request
First your application must redirect a resource owner to that url:
https://app.getresponse.com/oauth2_authorize.html
?response_type=token&client_id=_your_client_id_&redirect_uri=https://myredirecturi.com/cb&state=xyz
After resource owner agrees on granting your application access to resource, we will redirect the browser to redirect uri that was specify in the request.
Unlike the Authorisaation Code flow, this redirect will already have access_token information in the request part. There is no authentication process involved.
https://myredirecturi.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA&state=xyz&token_type=bearer&expires_in=3600
Example of Refresh Token flow request
If you receive this error message as a response to your request:
{
"httpStatus": 401
"code": 1014
"codeDescription": "Problem during authentication process, check headers!"
"message": "The access token provided is expired"
"moreInfo": "https://apidocs.getresponse.com/en/v3/errors/1014"
"context": {
"sentToken": "b8b1e961a7f9fd4cc710d5d955e09c15a364ab71"
}
That mean that you must refresh your access_token. If you are using Authorisation Code flow then you should use refresh_token to issue a new pair of access_token and refresh_token by making request link this:
curl -u client_id:client_secret https://api.getresponse.com/v3/token
-d 'grant_type=refresh_token&refresh_token=170d9f64e781aaa6b3ba036083faba71b2fc4e6c
In response you receive:
{
"access_token": "890fdsa2f5d7b189fc4e6c4b1d170d9f591238ss",
"expires_in": 86400,
"token_type": "Bearer",
"scope": null,
"refresh_token": "170d9f64e781aaa6b3ba036083faba71b2fc4e6c"
}
GetResponse 360
There are some differences when authenticating GetResponse 360 users:
- Application must redirect to the page in custom client's domain, for example:
https://custom-domain.getresponse360.com/oauth2_authorize.html
- Token requests have to be sent to one of GetResponse 360 APIv3 endpoints (depending on client's environment)
- Token requests have to include
X-Domain
header - Application has to be registered in a GetResponse 360 account within the same environment