Authentication and Access Token
Shakr API incorporates OAuth 2.0 framework for authentication. Specifically, it uses Client Credentials Grant, which enables service-to-service authentication without user account. You can learn more about this grant type with websites below.
- IETF RFC 6749 - The OAuth 2.0 Authorization Framework
- OAuth 2.0 Simplified - Client Credentials Grant
- Auth0 Docs - Client Credentials Flow
Client Credentials Grant
To authenticate using Client Credentials Grant, set grant_type
parameter to client_credentials
, and provide your API credentials to client_id
and client_secret
parameters. access_token
is returned as a response to your HTTP request, and you can store this token and use it whenever you make an API request.
OAuth 2.0 Libraries
In most cases, you can find pre-built OAuth 2.0 libraries for your programming language of choice. Almost all libraries natively support Client Credentials Grant, so you can use them to implement authentication to Shakr API.
Here are OAuth 2.0 libraries for few programming languages:
And here are examples of retrieving access token using a library.
- Node.js
- Ruby
- Elixir
const { ClientCredentials } = require('simple-oauth2');
const client = new ClientCredentials({
client: {
id: 'SHAKR_API_CLIENT_ID',
secret: 'SHAKR_API_CLIENT_SECRET'
},
auth: { tokenHost: 'https://api.shakr.com' }
});
try {
const { token } = await client.getToken({});
} catch (error) {
console.log('Error fetching access token', error.message);
}
require "oauth2"
client = OAuth::Client.new(
"SHAKR_API_CLIENT_ID",
"SHAKR_API_CLIENT_SECRET",
site: "https://api.shakr.com"
)
token = client.client_credentials.get_token
access_token = token.access_token
client = OAuth2.Client.new(
strategy: OAuth2.Strategy.ClientCredentials,
client_id: "SHAKR_API_CLIENT_ID",
client_secret: "SHAKR_API_CLIENT_SECRET",
site: "https://api.shakr.com"
)
client = OAuth2.Client.get_token!(client)
access_token = client.token.access_token
Access token types
Server access token
When you get an access token using standard grant_type
, client_id
, and client_secret
parameters, you get a server access token. This type of token has access to all resources created by your application, as well as creating a new resource such as new video. Since it has an unrestricted permission, we strongly recommend storing this token only on server and never expose it to client's browser.
To learn more about getting server access token, refer to Get a server access token.
Access token expiration
For now, server access token lasts indefinitely. We plan to introduce expiration date for security in the future, so we encourage you to use a library that handles token expiration.
Scoped access token
There are other type of access token called scoped access token, which has restrictive permissions. This type of token can be used in scenarios where you need to expose access token to client's browser, such as integrating Editor SDK.
To learn more about use case that involves scoped access token, refer to Create videos with Video Editor SDK.