This guide shows you how to get a user’s authorization to access private data through the Web API.

Introduction

All the Yuvo API require authorization; that is, the company admin must have granted permission for an application to access the requested data. To prove that the company admin has granted permission, the request header sent by the application must include a valid access token.

As the first step towards authorization, you will need to register your application. That will give you a unique client ID and client secret key to use in the authorization flows.

Supported Authorization Flows

The Yuvo API currently supports two authorization flows:

  • The Client Credentials flow allows you to get an access token by supplying your client credentials (client ID and secret key). This flow is used in server-to-server authentication.
    Note: With this access token you can create companies and push employee's data from your application. You get full update access to these companies data.

    You are responsible for obtaining authorization from your application's users before using this API. Access to any other company (already existing on Yuvo platform) data could only be done via Authorization Code

  • The Authorization Code flow first gets a code then exchanges it for an access token and a refresh token once authorization has been granted by a company admin user. This token gives only access to that particular company data.

    Since the exchange uses your client secret key, you should make that request server-side to keep the integrity of the key. An advantage of this flow is that you can use refresh tokens to extend the validity of the access token.

    Note: This flow is only necessary for accessing Yuvo data not created by your application via Client Credentials. You will use this flow when an existing Yuvo account company admin will subscribe to your application and give it access to their existing Yuvo data.

Client Credentials Flow

The method authenticates your application requests to the Yuvo API. It gives you full create/update access to Yuvo companies data that were originally sent by your application. This flow is described in RFC-6749.

Client Credentials Flow Diagram

1. Your application requests authorization

The request is sent to the /api/token endpoint of the Accounts service:

POST https://api.yuvohub.com/oauth/token/

The request will include parameters in the request body:

Request body parameter
Value
grant_type
Required. Set it to “client_credentials”.

The header of this POST request must contain the following parameter:

Header parameter
Value
Authorization
Required. Base 64 encoded string that contains the client ID and client secret key. The field must have the format: Authorization: Basic <base64 encoded client_id:client_secret>

For example:

curl -H "Authorization: Basic ZjM4ZjAw...WY0MzE=" -d grant_type=client_credentials https://api.yuvohub.com/oauth/token/
{
   "access_token": "NgCXRKc...MzYjw",
   "token_type": "bearer",
   "expires_in": 3600,
}

2. Use the access token to access the Yuvo API

The access token allows you to make requests to the Yuvo API endpoints that do not require user authorization.

Authorization Code Flow

This method is suitable for long-running applications which the user logs into once. It provides an access token that can be refreshed. Since the token exchange involves sending your secret key, this should happen on a secure location, like a backend service, not from a client like a browser or mobile apps. This flow is described in RFC-6749.

Authorization Code Flow Diagram

1. Your application requests authorization

The authorization process starts with your application sending a request to the Yuvo OAuth Service. (The reason your application sends this request can vary: it may be a step in the initialization of your application or in response to some user action, like a button click.) The request is sent to the /authorize endpoint of the Accounts service:

GET https://api.yuvohub.com/oauth/authorize/

The request will include parameters in the query string:

Query parameter
Value
client_id
Required. The client ID provided to you by Yuvo when you register your application.
response_type
Required. Set it to code.
redirect_uri
Required. The URI to redirect to after the user grants/denies permission. This URI needs to have been entered in the Redirect URI whitelist that you specified when you registered your application. The value of redirect_uri here must exactly match one of the values you entered when you registered your application, including upper/lowercase, terminating slashes, etc.
state
Optional, but strongly recommended. The state can be useful for correlating requests and responses. Because your redirect_uri can be guessed, using a state value can increase your assurance that an incoming connection is the result of an authentication request. If you generate a random string or encode the hash of some client state (e.g., a cookie) in this state variable, you can validate the response to additionally ensure that the request and response originated in the same browser. This provides protection against attacks such as cross-site request forgery. See RFC-6749.

A typical request looks like this:

GET https://api.yuvohub.com/oauth/authorize/?client_id=5fe01282e44241328a84e7c5cc169165&response_type=code&redirect_uri=https%3A%2F%2Fexample.com%2Fcallback&state=34fFs29kd09

2. The user is asked to authorize access within the scopes

The Yuvo OAuth service presents details of the scopes for which access is being sought. If the user is not logged in, they are prompted to do so using their Yuvo credentials.

When the user is logged in, they are asked to authorize access to the data sets defined in the scopes.

3. The user is redirected back to your specified URI

After the user accepts (or denies) your request, the Yuvo OAuth service redirects back to the redirect_uri. For our example, this would be the address:

https://developers.yuvohub.com/callback/

If the user has accepted your request, the response query string contains the following parameters:

Query parameter
Value
code
An authorization code that can be exchanged for an access token.
state
The value of the state parameter supplied in the request.

For example:

https://developers.yuvohub.com/callback/?code=NApCCg..BkWtQ&state=profile%2Factivity

If the user has not accepted your request or an error has occurred, the response query string contains the following parameters:

Query parameter
Value
error
The reason authorization failed, for example: “access_denied”
state
The value of the state parameter supplied in the request.

For example:

https://developers.yuvohub.com/callback/?error=access_denied&state=STATE

4. Your application requests refresh and access tokens

When the authorization code has been received, you will need to exchange it with an access token by making a POST request to the Yuvo OAuth Service, this time to its /api/token endpoint:

POST https://api.yuvohub.com/oauth/token/

The body of this POST request must contain the following parameters:

Request body parameter
Value
grant_type
Required. As defined in the OAuth 2.0 specification, this field must contain the value "authorization_code".
code
Required. The authorization code returned from the initial request to the Account's /authorize endpoint.
redirect_uri
Required. This parameter is used for validation only (there is no actual redirection). The value of this parameter must exactly match the value of redirect_uri supplied when requesting the authorization code.
Header parameter
Value
Authorization
Required. Base 64 encoded string that contains the client ID and client secret key. The field must have the format: Authorization: Basic <base64 encoded client_id:client_secret>

An alternative way of sending the client id and secret is as request parameters (client_id and client_secret) in the POST body, instead of sending them base64-encoded in the header.

5. The tokens are returned to your application

On success, the response from the Yuvo OAuth Service has the status code 200 OK in the response header, and the following JSON data in the response body:

Key
Value type Value description
access_token
string An access token that can be provided in subsequent calls, for example to Yuvo API services.
token_type
string How the access token may be used: always "Bearer".
expires_in
int The time period (in seconds) for which the access token is valid.
refresh_token
string A token that can be sent to the Yuvo OAuth Service in place of an authorization code. (When the access code expires, send a POST request to the Accounts service /api/token endpoint, but use this code in place of an authorization code. A new access token will be returned. A new refresh token might be returned too.)

An example cURL request and response from the token endpoint will look something like this:

curl -H "Authorization: Basic ZjM...zE=" -d grant_type=authorization_code -d code=MQCbtKe...44KN -d redirect_uri=https%3A%2F%2Fwww.foo.com%2Fauth https://api.yuvohub.com/oauth/token/
{
   "access_token": "NgCXRK...MzYjw",
   "token_type": "Bearer",
   "scope": "user-read-private user-read-email",
   "expires_in": 3600,
   "refresh_token": "NgAagA...Um_SHo"
}

6. Use the access token to access the Yuvo API

The access token allows you to make requests to the Yuvo API on a behalf of a user, for example:

curl -H "Authorization: Bearer NgCXRK...MzYjw" https://api.yuvohub.com/companies
{
    "name": ...,
    "uen_code": ...,
    "sector": ...,
    "entity_type": ...,
    "entity_sub_type": ...,
    "work_locations": ...,
    "departments": ...,
}

7. Requesting access token from refresh token

Access tokens are deliberately set to expire after a short time, after which new tokens may be granted by supplying the refresh token originally obtained during the authorization code exchange.

The request is sent to the token endpoint of the Yuvo OAuth Service:

POST https://api.yuvohub.com/oauth/token/

The body of this POST request must contain the following parameters:

Request body parameter Value
grant_type
Required. Set it to “refresh_token”.
refresh_token
Required. The refresh token returned from the authorization code exchange.

The header of this POST request must contain the following parameter:

Header parameter
Value
Authorization
Required. Base 64 encoded string that contains the client ID and client secret key. The field must have the format: Authorization: Basic <base64 encoded client_id:client_secret>

For example:

curl -H "Authorization: Basic ZjM4Zj...Y0MzE=" -d grant_type=refresh_token -d refresh_token=NgAagA...NUm_SHo https://api.yuvohub.com/oauth/token/
{
   "access_token": "NgA6ZcYI...ixn8bUQ",
   "token_type": "Bearer",
   "scope": "user-read-private user-read-email",
   "expires_in": 3600
}