Skip to main content
Documentation & User Guides | Fotoware

Non-interactive application authorization with OAuth 2.0

Non-interactive applications

This variant of the authorization process is for non-interactive applications, i.e. apps in which there is no user interaction. A non-interactive application gets full administrative access to all resources on the tenant; it is not possible to make requests in the context of a user.

Note: OAuth for non-interactive applications is intended for use with server applications or scripts, not for public clients or browser apps. It's also important to note that the client secret must not be exposed to users or other unauthorized persons.

Application Registration

When registering the application in the FotoWeb site settings (Settings tab, then Services > Applications), choose Non-interactive / script.
The configuration interface will generate a client ID and a Client secret.

OAuth for non-interactive apps.png

Make a note of the client secret (or store it immediately in application code or configuration), as there is no way to recover it after application registration. If the client secret is lost, then you have to generate a new one in the application registration interface.

Protocol Flow


The client makes the following request to the token endpoint to obtain the access token (line-breaks are added for readability.

All parameter values MUST be URL-encoded.

POST https://myfotowebserver.com/fotoweb/oauth2/token
Content-Type: application/x-www-form-urlencoded
Accept: application/json

and with these parameters in the body

grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET

where

Parameter Description
grant_type REQUIRED. Must always be client_credentials
client_id REQUIRED. The unique ID of the client, which was obtained during client registration.
client_secret

REQUIRED. The secret of the client, which was obtained during client registration.

On success, the server responds as follows:

200 OK
Content-Type: application/json

with the following response body:

{
  "access_token": ACCESS_TOKEN,
  "token_type": "bearer",
  "expires_in": EXPIRES_IN_SECONDS,
  "refresh_token": REFRESH_TOKEN
}

where

Parameter Description
access_token The access token that is used to authorize requests to the FotoWeb API 
token_type This is always bearer.
expires_in Number of seconds after which the token is expected to expire.
refresh_token OPTIONAL: A refresh token that can be used to request a new access token. For more information, see the section "Refreshing Tokens".

The application can obtain the access token by parsing the response body.

Refresh tokens are highly sensitive, as they have long (or infinite) expiration times and can be used to request new access tokens.

A client SHOULD store the refresh token in a safe place so it cannot be accessed by unauthorized parties. A client SHOULD NOT expose a refresh token to a user agent (browser). A client that does not use refresh tokens SHOULD NOT store the refresh token at all.