API Authentication

24sessions uses OAuth2 to authenticate access to our API. Every request made to the API must be sent along with a unique access token to confirm the requestor’s identity.

To get an access token, it must be requested from the API. For the API request, you will need the client id and secret key of your 24sessions instance. Please contact solutions@24sessions if you have not yet been provided with credentials.

Access on behalf of the user

When a user needs to login to 24sessions through a third-party application, it can be done by prompting the users username and password to perform the intended actions.

This is useful in user specific tasks, such as generating a meeting within a CRM.

Using a password

A GET request must be made to the authentication endpoint with a grant_type of password as shown in the below example.

GET https://<your_instance>.api.24sessions.com/v1/oauth/v2/token
?client_id=<your_client_id>
&client_secret=<your_client_secret>
&grant_type=password

Using a refresh token

Refresh tokens can be used to generate another access token upon expiry of the initial access token generated (1 hour). A refresh token can be in place of the username and password. It allows a user access token to be generated without needing the username & password of the user.

A GET request must be made to the authentication endpoint with a grant_type of refresh_token as shown in the below example.

GET https://<your_instance>.api.24sessions.com/v1/oauth/v2/token
?client_id=<your_client_id>
&client_secret=<your_client_secret>
&grant_type=refresh_token

Complete API access

Complete API access is needed in integrations where data regarding multiple users is needed. Typical examples are:

  • Retrieving data to a business intelligence or analytics tools
  • Integrating to a third party system, like a CRM

The 24sessions API supports “client credentials” authentication, which allows 3rd party systems to obtain access to the API without authorization from the requestor (end-user). If you need to access data without being logged in as a specific user, you can obtain a generic access token using only the client secret and client ID.

Use the grant_type of client_credentials in the request as shown in the below example.

GET https://<your_instance>.api.24sessions.com/v1/oauth/v2/token
?client_id=<your_client_id>
&client_secret=<your_client_secret>
&grant_type=client_credentials

Refreshing the access token

The access token expires in one hour, regardless of grant type. There are two ways for managing the access tokens:

  1. Fetch a new access token before each request
  2. Cache the access token and fetch a new token only when needed

The implementation of the first option is typically less effort than the second option. Please note that the first option causes one additional GET request before each request, causing a minor performance decrease.

Contents

Copyright © 24sessions.com B.V. All rights reserved.