Authentication and Access Token

Shakr API incorporates OAuth 2.0 framework for authentication. Specifically, it uses Client Credentials Grant, which enables service-to-service authentication without user account. You can learn more about this grant type with websites below.

• IETF RFC 6749 - The OAuth 2.0 Authorization Framework
• OAuth 2.0 Simplified - Client Credentials Grant
• Auth0 Docs - Client Credentials Flow

Client Credentials Grant

To authenticate using Client Credentials Grant, set grant_type parameter to client_credentials, and provide your API credentials to client_id and client_secret parameters. access_token is returned as a response to your HTTP request, and you can store this token and use it whenever you make an API request.

OAuth 2.0 Libraries

In most cases, you can find pre-built OAuth 2.0 libraries for your programming language of choice. Almost all libraries natively support Client Credentials Grant, so you can use them to implement authentication to Shakr API.

Here are OAuth 2.0 libraries for few programming languages:

• Ruby
• Python
• Node.js
• PHP
• Go
• Elixir

And here are examples of retrieving access token using a library.

Node.js

const { ClientCredentials } = require('simple-oauth2');

const client = new ClientCredentials({
  client: {
    id: 'SHAKR_API_CLIENT_ID',
    secret: 'SHAKR_API_CLIENT_SECRET'
  },
  auth: { tokenHost: 'https://api.shakr.com' }
});

try {
  const { token } = await client.getToken({});
} catch (error) {
  console.log('Error fetching access token', error.message);
}

Ruby

require "oauth2"

client = OAuth::Client.new(
  "SHAKR_API_CLIENT_ID",
  "SHAKR_API_CLIENT_SECRET",
  site: "https://api.shakr.com"
)

token = client.client_credentials.get_token

access_token = token.access_token

Elixir

client = OAuth2.Client.new(
  strategy: OAuth2.Strategy.ClientCredentials,
  client_id: "SHAKR_API_CLIENT_ID",
  client_secret: "SHAKR_API_CLIENT_SECRET",
  site: "https://api.shakr.com"
)

client = OAuth2.Client.get_token!(client)

access_token = client.token.access_token

Access token types

Server access token

When you get an access token using standard grant_type, client_id, and client_secret parameters, you get a server access token. This type of token has access to all resources created by your application, as well as creating a new resource such as new video. Since it has an unrestricted permission, we strongly recommend storing this token only on server and never expose it to client's browser.

To learn more about getting server access token, refer to Get a server access token.

Access token expiration

For now, server access token lasts indefinitely. We plan to introduce expiration date for security in the future, so we encourage you to use a library that handles token expiration.

Scoped access token

There are other type of access token called scoped access token, which has restrictive permissions. This type of token can be used in scenarios where you need to expose access token to client's browser, such as integrating Editor SDK.

To learn more about use case that involves scoped access token, refer to Create videos with Video Editor SDK.