Page Comparison

...

https://mywebsite.com/newjoiner?code=12345

Example Token

...

Request

The token call takes the following parameters:

...

...

...

Headers

X-Application: 'your App key'

...

X-Authentication : 'your session token'

...

Accept:

...

  application/json

...

Content-Type:

...

  application/json

...

...

Endpoint

...

https://api.betfair.com/exchange/account/rest/v1.0/token/

...

Request

 
Request Body

{"client_id"="4534","grant_type":"AUTHORIZATION_CODE","code":"-22a1-12151008-000007cb61","client_secret":"bc183d-f5-40dc-82a6-d97681

...

Response

 
Response
 
{"access_token":"KeOi+kyg2RvDK4HM+W46CvSnP5w=","refresh_token":"50d76117-7f85-375v-a38f-ffb332713f93","application_subscription":{"vendor_client_id":"456238"},"token_type":"BEARER","expires_in":"14400"}

...

...

...

Headers

X-Application

...

: 'your App key'
X-Authentication

...

 : 'your session token'
Accept:  application/json

...

Endpoint

Content-Type:  application/json

Endpoint

https://api.betfair.com/exchange/account/json-rpc/v1

...

Request

...

{"jsonrpc": "2.0", "method": "AccountAPING/v1.0/token", "params": {"client_id":"CLIENTID","grant_type":"AUTHORIZATION_CODE","code":"CODE","client_secret":"CLIENTSECRET"}, "id": 1 }

OAuth 2 Flow - Using the Refresh Token

When the access token expires, it is possible to create a new one without any user input, using the refresh token. This is done with the same call that was used to create it originally, the token operation, but with a different set of parameters:, e.g grant_type REFRESH_TOKEN.

Header: 'X-Application' : 'your app key'

...

refresh_token: the refresh token for the user 

client_secret: your secret, obtained from/wiki/spaces/OL/pages/1671181

This will return the same information as the original call:

access_token: the access token, used to call Betfair on the user's behalf

...

application_subscription: contains the vendor client ID, a unique identifier for a user

...

https://api.betfair.com/exchange/account/rest/v1.0/token?client_id=VENDOR_ID&client_secret=VENDOR_SECRET&grant_type=REFRESH_TOKEN&refresh_token=50d76117-7f85-375v-a38f-ffb332713f93

...

{"access_token":"KeOi+kyg2RvDK4HM+W46CvSnP5w=","refresh_token":"50d76117-7f85-375v-a38f-ffb332713f93","application_subscription":{"vendor_client_id":"456238"},"token_type":"BEARER","expires_in":"14400"}

...

Making API Calls On The Users Behalf

...

The Authorization header needs to be a concatenation of the token type and the access token (both returned by the token call), separated by a space.

Example:

Image RemovedImage Added

Betfair will use the access token to determine which user the calls are being made for.

...

The user may choose to revoke the permissions previously granted to your web application. This will invalidate the access token and destroy your refresh token. Any subsequent calls to Betfair using the access token, or any attempt to generate a new one using the refresh token will result in either an INVALID_SESSION exception or UNEXPECTED_ERROR respectively.

Legacy Subscriptions

...

The available operations are the following:

• getApplicationSubscriptionToken
• activateApplicationSubscription
• cancelApplicationSubscription
• updateApplicationSubscription
• listApplicationSubscriptionTokens
• getApplicationSubscriptionHistory

If you do use these calls to manage subscriptions, the token call will return information on the most relevant subscription (i.e. the subscription with the latest expiration date) as part of the application_subscription object.

Flow Diagram

Sample Code

Sample code that demonstrates the web apps interaction is available via https://github.com/betfair/sample-web-app-vendor/ 

...