EG Xena Developer
WebsiteSign inDesign System
  • Introduction
  • The possibilities
    • Best practices
    • User experience
  • Development
    • Get started
      • Become a developer
      • Register your app
      • The Xena API
      • Authorization
      • Using OAuth
      • Using Xena Api with OAuth
      • Using WebHooks
      • Using Websync
      • Using Xena API Key
      • Creating plugins
    • Samples
    • API documentation
      • Xena
      • Cars (Giulia)
      • Articles & prices (Gaia)
  • User interface
    • Xena Design System
    • Use our stylesheet
    • Design Guide
      • Alerts and warnings
      • Buttons
      • Colors and fonts
      • Collapsible
      • Dropdowns
      • Forms
      • Icons
      • Layout
      • Modals
      • Navigation
      • Pagination
      • Panels
      • Tables
      • Other components
Powered by GitBook
On this page
  • About Authorization
  • About authorization
  • About authorization protocols
  • Authorizing requests with OAuth 2.0
  1. Development
  2. Get started

Authorization

Fundamentals on authorization in apps.

PreviousThe Xena APINextUsing OAuth

Last updated 2 years ago

About Authorization

Every request your application sends to the Xena API must include an authorization token. The token also identifies your application to Xena.

About authorization

Every request your application sends to the Xena API must include an authorization token. The token also identifies your application to Xena.

About authorization protocols

Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported.

Authorizing requests with OAuth 2.0

All requests to the Xena API must be authorized by an authenticated user.

The details of the authorization process, or "flow," for OAuth 2.0 vary somewhat depending on what kind of application you're writing.

The following general process applies to all application types:

  1. When you create your application, you register it in Xena developer and use the Xena Developer Console. Xena's Identity server then provides the information you'll need later, such as a client ID and a client secret.

  2. When your application needs access to user data, it asks Xena's Identity server for a particular scope of access. (see: scopes below)

  3. Xena's Identity server then displays a consent screen to the user, asking them to authorize your application to access some of their data.

  4. If the user approves your request, then Xena's Identity server returns to your application a short-lived access token. Access tokens granted by Xena's Identity server are valid for one hour.

  5. Your application requests user data, attaching the access token to the request. All your requests to the Xena API should submit an authorization header bearer token.

  6. If Xena's API determines that your request and the token are valid, it returns the requested data.

  7. Some flows include additional steps, such as using refresh tokens to acquire new access tokens. For detailed information about flows for various types of applications, see .

Here is a list of the OAuth 2.0 scopes for the Xena API:

Scope

Meaning

testapi

Full, permissive scope to access all of a user's Xena data.

profile

users profile information, name, culture, picture

email

users email

offline_access

returns a refresh token

Xena's OAuth 2.0 documentation