Authentication
How to Authenticate
How it works
SMEasy uses the OAuth 2.0 protocol for authentication and authorization. OAuth2 is a framework that enables applications to obtain limited access to user accounts over HTTP. It is used by services like Google, Facebook, Stripe, and Slack. This method creates a token that lasts for 12 hours to keep your SMEasy account secure and connected. For more details about OAuth2 itself, check out: the official documentation.
Work Flow Overview
- Your user needs to allow your application to access their SMEasy account info via the SMEasy API. As part of this process you will get an
auth code
back from SMEasy. - You will need to exchange this
auth code
for anaccess token
andrefresh token
pair. - When the users
access token
expires you can use the associatedrefresh token
to request a newaccess token
andrefresh token
pair. - Rinse and repeat step 3.
Step 1: Get an auth code
In order to get your user to allow your application to access their SMEasy accounting data from SMEasy you will need to send your user to a page hosted by SMEasy which will prompt your user to:
- Provide a page on your site asking your user to 'connect' their SMEasy account to your application. Your user should be able to click on a button or a link that will take them through to step 2.
- The link on your website should take your user to an SMEasy hosted page where they will be prompted to do the following:
- Login to their SMEasy account to prove who they are to SMEasy.
- Allow your application to access their SMEasy accounting data via the SMEasy API.
- Redirect back to your application with attached
auth code
andstate
.
Where do you redirect your user when they click on the relevant button or link in step 1?
SMEasy API authorize url
https://authorize.smeasy.co.za?client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&state=<STATE>
Where:
- <CLIENT_ID> is the value you got back from SMEasy support when listing your application with SMEasy.
- <REDIRECT_URI> is the value you supplied to SMEasy support when listing your application with SMEasy.
- <STATE> is a unique text value that is used to validate that the response you get at your redirect_uri originated from your call to the SMEasy authorize link made in step 1 above.
Step 2: Exchange your auth code for an access token / refresh token pair
Once your user has authorised your application to access their SMEasy accounting data and you have received the resulting auth code
you can proceed to the next step which is exchanging this auth code
for an access token
and refresh token
pair.
To do this you will need to perform a POST
against the following url:
SMEasy API token url
https://integrationapi.smeasy.co.za/token
With the following request header:
- Content-Type: application/x-www-form-urlencoded
With the following body:
grant_type=authorization_code&code=<AUTH_CODE>&redirect_uri=<REDIRECT_URI>&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>
Where:
- <AUTH_CODE> is the
auth code
retrieved from step 1 of this process. - <CLIENT_ID> and <CLIENT_SECRET> are the values you got back from SMEasy support when listing your application with SMEasy.
- <REDIRECT_URI> is the value you supplied to SMEasy support when listing your application with SMEasy.
You should received back from the above POST
the following json
:
{
"access_token": "eyJhbGc...",
"token_type": "Bearer",
"expires_in": 297,
"scope": "read offline_access",
"refresh_token": "eyJhbGci..."
}
You will need to store the refresh
token as you will need it in the future when the access token
expires in 12 hours.
Step 3: Exchange your refresh token for a new access token / refresh token pair.
When the access token
you are using to access the SMEasy API expires you will need to request a new access token
and refresh token
pair using the refresh token
associated with the recently expired access token
.
To do this you will need to perform a POST
against the following url:
SMEasy API token url
https://integrationapi.smeasy.co.za/token
With the following request header:
- Content-Type: application/x-www-form-urlencoded
With the following body:
grant_type=refresh_token&refresh_token=<REFRESH_TOKEN>&redirect_uri=<REDIRECT_URI>&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>
Where:
- <REFRESH_TOKEN> is the last
refresh token
retrieved from the SMEasytoken
endpoint. - <CLIENT_ID> and <CLIENT_SECRET> are the values you got back from SMEasy support when listing your application with SMEasy.
- <REDIRECT_URI> is the value you supplied to SMEasy support when listing your application with SMEasy.
You should receive back from the above POST
the following json
:
{
"access_token": "eyJhbGc...",
"token_type": "Bearer",
"expires_in": 297,
"scope": "read offline_access",
"refresh_token": "eyJhbGci..."
}
Once again you will need to store the refresh token
for future use.
About Refresh Tokens
access tokens
are not long lived. They last for 12 hours, after which they are no longer able to authenticate requests, and may produce different errors depending upon the service being called. The remedy to use in these situations is a refresh token
.
refresh tokens
live forever, but are one-time-use, and only one refresh token
can be alive at any time per user per application. A new refresh token
is generated every time an access token
is issued for a given user of a given application, and all old refresh tokens
immediately become invalid. Make sure that whenever you receive a new access token
, you write its companion refresh token
down somewhere safe to refresh your access, or you’ll have to re-authorize your application again manually.
access tokens
don’t interfere with each other’s lives the same way, so you could have several valid access tokens
at any given point in time. They only expire when you manually POST
to the token/revoke endpoint or when their time runs out.