Authentication

Authenticating Your App

By now I'm sure you've read the whole entire OAuth 2.0, draft 26

If you fell asleep during reading the spec, here's a summary of things you need to do to authenticate as well as ShootProof specific endpoints

Note: ShootProof OAuth uses authorization code grant type as well as Refresh Tokens

Authorization Code Request

Endpoint:
https://auth.shootproof.com/oauth2/authorization/new
Params:
  • response_type = "code"
  • client_id = "YOUR APP ID"
  • redirect_uri = "YOUR REDIRECT URI" (More specifics below)
  • scope = "sp.studio.info sp.event.get_list sp.event.create sp.event.photo_exists sp.event.get_photos sp.album.get_list sp.album.create sp.album.get_photos sp.photo.upload sp.photo.delete sp.order.get_list sp.order.get_details sp.auth.deauthorize"

Make a request with the listed parameters and the user will be taken to a login page, once successfully logged in they will be returned to your redirect url with a 'code' get parameter. You will then exchange this temporary code for an access token.

Access Token Request

Endpoint (POST only):
https://auth.shootproof.com/oauth2/authorization/token
Params:
  • grant_type = "authorization_code"
  • client_id = "YOUR APP ID"
  • code = "PREVIOUSLY RETURNED AUTH CODE"
  • redirect_uri = "SAME URI AS AUTH CODE REQUEST"
  • scope = "sp.studio.info sp.event.get_list sp.event.create sp.event.photo_exists sp.event.get_photos sp.album.get_list sp.album.create sp.album.get_photos sp.photo.upload sp.photo.delete sp.order.get_list sp.order.get_details sp.auth.deauthorize"
Response:
Ok status
{ stat : ok },
{ access_token : S0m3aCC3ssT0k3n },
{ refresh_token : S0m3r3fr3shT0k3n },
{ token_type : bearer },
{ expires_in : 1209600 }

Fail status
{ stat : fail },
{ code : invalid_request },
{ msg : Some error message }

Error codes per OAuth section 4.2.2.1 Error Response

Access tokens last 2 weeks, though it is a good idea to refresh before the access token expires

Refresh Token Request

Endpoint (POST only):
https://auth.shootproof.com/oauth2/authorization/token
Params:
  • grant_type = refresh_token
  • refresh_token = S0m3r3f3shT0k3n
  • scope = "sp.studio.info sp.event.get_list sp.event.create sp.event.photo_exists sp.event.get_photos sp.album.get_list sp.album.create sp.album.get_photos sp.photo.upload sp.photo.delete sp.order.get_list sp.order.get_details sp.auth.deauthorize"
Response:
Ok status
{ stat : ok },
{ access_token : S0m3aNEWCC3ssT0k3n },
{ refresh_token : S0m3NEWr3fr3shT0k3n },
{ token_type : bearer },
{ expires_in : 1209600 }

Fail status
{ stat : fail },
{ code : invalid_request },
{ msg : Some error message }

You will be granted a new refresh_token AND access_token during refresh. It is also acceptable to refresh before you reach the expire time.

Redirect URI

In Browser Flow:

The typical browser flow will redirect to your Redirect URI in which case you will make a back end request using the temporary Auth Code to exchange for an access/refresh token

Optional Application Flow:

In some cases due to security sandbox issues it is not possible to redirect back to your APP. For this case, you can optionally pass the Redirect URI 'self' instead of your own redirect URI. Passing 'self' as the URI will load the temporary token in the browser with instructions to enter the code in your APP. Then, your APP will take the code, do a back end POST request to get the access_token/refresh_token. This is exactly how our own Desktop Uploader works if you'd like to see an example.

Logging a user out of ShootProof

If your application has a need to log a user out of ShootProof after completing API requests, you can deauthorize the access token with a request in the following format.

https://auth.shootproof.com/oauth2/authorization/remove?access_token=S0m3aCC3ssT0k3n