Versions Compared

Old Version 55

changes.mady.by.user PepikM

Saved on

compared with

New Version 56

changes.mady.by.user PepikM

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Example REST request
Headers

X-Application: 'your

app

App key'

X-Authentication : 'your session token'

Accept:  application/json

Content-Type:  application/json

Endpoint

 

Code Blocktitle

Endpoint

https://api.betfair.com/exchange/account/rest/v1.0/token/


Request

code

titleRequest Body

{"client_id"="4534","grant_type":"AUTHORIZATION_CODE","code":"-22a1-12151008-000007cb61","client_secret":"bc183d-f5-40dc-82a6-d97681"}


Response

code

titleResponse

{"access_token":"KeOi+kyg2RvDK4HM+W46CvSnP5w=","refresh_token":"50d76117-7f85-375v-a38f-ffb332713f93","application_subscription":{"vendor_client_id":"456238"},"token_type":"BEARER","expires_in":"14400"}

...

 

Example Token request - Json-RPC

Headers

...

titleHeaders

X-Application'

...

:

...

'your

...

App

...

key'

...

X-Authentication'

...

:

...

'your

...

session

...

token'

...

Accept:application/json

...

Endpoint

...


Endpoint

https://api.betfair.com/exchange/account/json-rpc/v1


Request

...

titleRequest

{"jsonrpc":

...

"2.0",

...

"method":

...

"AccountAPING/v1.0/token",

...

"params":

...

{"client_id":"CLIENTID","grant_type":"AUTHORIZATION_CODE","code":"CODE","client_secret":"CLIENTSECRET"},

...

"id":

...

1

...

}

 

OAuth 2 Flow - Using the Refresh Token

When the access token expires, it is possible to create a new one without any user input, using the refresh token. This is done with the same call that was used to create it originally, the token operation, but with a different set of parameters:

Header: 'X-Application' : 'your app key'

Header: 'X-Authentication' : 'your session token' 

client_id: your vendor ID, obtained from /wiki/spaces/OL/pages/1671181

grant_type: 'REFRESH_TOKEN'

refresh_token: the refresh token for the user 

client_secret: your secret, obtained from/wiki/spaces/OL/pages/1671181

 

This will return the same information as the original call:

access_token: the access token, used to call Betfair on the user's behalf

token_type: meta data for the access token (see 'Making calls on the user's behalf')

expires_in: how long the access token will be valid for (in seconds)

refresh_token: the refresh token remains the same

application_subscription: contains the vendor client ID, a unique identifier for a user


Example request using REST

...

https://api.betfair.com/exchange/account/rest/v1.0/token?client_id=VENDOR_ID&client_secret=VENDOR_SECRET&grant_type=REFRESH_TOKEN&refresh_token=50d76117-7f85-375v -a38f-ffb332713f93

 

Example response

...

{"access_token":"KeOi+kyg2RvDK4HM+W46CvSnP5w=","refresh_token":"50d76117-7f85-375v-a38f-ffb332713f93","application_subscription":{"vendor_client_id":"456238"},"token_type":"BEARER","expires_in":"14400"}

 

You can user the 'expires_in' value to determine when the access token will stop being valid. Alternatively, if calls made with the access token start returning an INVALID_SESSION error, it is likely that the token has expired.

Making API Calls On The Users Behalf

...

You will need to populate headers in a different way to a standard API call:

X-Application: your application key

Authorization: token_type + " " + access_token

The Authorization header needs to be a concatenation of the token type and the access token (both returned by the token call), separated by a space.

...

These calls also have to be from back-end to back-end.

User Revocation

The user may choose to revoke the permissions previously granted to your web application. This will invalidate the access token and destroy your refresh token. Any subsequent calls to Betfair using the access token, or any attempt to generate a new one using the refresh token will result in either an INVALID_SESSION exception or UNEXPECTED_ERROR respectively.

Legacy Subscriptions

The way subscriptions are handled for web applications differ greatly from the way they were for desktop based applications. The subscription token model is no longer enforced, however you may still choose to create and manage subscriptions using the existing API calls.

...

The available operations are the following:

getApplicationSubscriptionToken

activateApplicationSubscription

cancelApplicationSubscription

updateApplicationSubscription

listApplicationSubscriptionTokens

getApplicationSubscriptionHistory

 

If you do use these calls to manage subscriptions, the token call will return information on the most relevant subscription (i.e. the subscription with the latest expiration date) as part of the application_subscription object.

Flow Diagram

 

Sample Code

Sample code that demonstrates the web apps interaction is available via https://github.com/betfair/sample-web-app-vendor/ 

...