There are some changes to the way access is granted and controlled to vendor applications using API-NG. The key changes are:
- The introduction of Subscription Tokens, to provide a single identifier for a customer's subscription to an application.
- The use of Application Keys, which replace product and vendor software IDs to control API access.
...
Appanvil karma designer | ||||
---|---|---|---|---|
|
Table of Content Zone | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
When & How to Use Vendor ServicesThere are two separate methods available to Vendors.
The Vendor Services API allows licensed and certified Software Vendors to manage the permissioning of Betfair accounts to their API-NG application/s. With the Vendor Services API, you can:
|
...
|
...
Sign up for subscription
...
There are two key processes that Vendor will need to follow when using the Vendor Services in API-NG: Each of these processes is detailed below.
Preconditions:
Example flow:
|
...
|
...
|
...
|
...
|
...
|
...
|
...
In this scenario, the Vendor wishes to check the customer’s subscription status to establish if the customer has:
This can be done within the application itself (client side) or by Vendor on their app server (server side). Each process is explained in more detail below: Client side process:
Server side process:
|
...
The Vendor Web API is available to licensed Software Vendors who are creating web-based applications These operations enable the web application to carry out operations on the users behalf using the OAuth2 protocol. OperationsThe following operations are available via the Vendor Web API OAuth 2 Flow - Creating an Access TokenThe user authentication via web apps is underpinned by the OAuth 2 protocol. You will need to redirect the user to the Betfair login page (identitysso.betfair.com/view/vendor-login), along with up to three parameters:
Creating An Access Token - Betfair.com customers
Example redirect
Example Token RequestThe token call takes the following parameters: Request Headers
Request Body
Response Parameters
Example token request - REST
Example token request - JSON
OAuth 2 Flow - Using the Refresh TokenWhen the access token expires, it is possible to create a new one without any user input, using the refresh token. This is done with the same call that was used to create it originally, the token operation, but with a different set of parameters, for example, grant_type: REFRESH_TOKEN and refresh_token:
Header: 'X-Application' : 'your app key' Header: 'X-Authentication' : 'your session token' client_id: your vendor ID, obtained from /wiki/spaces/OL/pages/1671181 grant_type: 'REFRESH_TOKEN' refresh_token: the refresh token for the user client_secret: your secret, obtained from/wiki/spaces/OL/pages/1671181 This will return the same information as the original call: access_token: the access token, used to call Betfair on the user's behalf token_type: metadata for the access token (see 'Making calls on the user's behalf') expires_in: how long the access token will be valid for (in seconds) refresh_token: the refresh token remains the same application_subscription: contains the vendor client ID, a unique identifier for a user Example Refresh Token request - REST
Making API Calls On The Users BehalfOnce you have an access token, you can start calling the Betfair API on the user's behalf based on their actions on your site. You will need to populate headers in a different way to a standard API call: X-Application: your application key Authorization: token_type + " " + access_token The Authorization header needs to be a concatenation of the token type and the access token (both returned by the token call), separated by a space. Example: Betfair will use the access token to determine which user the calls are being made for. These calls also have to be from back-end to back-end.
User RevocationThe user may choose to revoke the permissions previously granted to your web application. You must provide the user with the facility to do so within any web app using the revokeAccessToWebApp operation. This will invalidate the access token and destroy your refresh token. Any subsequent calls to Betfair using the access token, or any attempt to generate a new one using the refresh token will result in either an INVALID_SESSION exception or UNEXPECTED_ERROR respectively. Example RevokeAccessToWebApp Request
Legacy SubscriptionsThe way subscriptions are handled for web applications differs greatly from the way they were for desktop-based applications. The subscription token model is no longer enforced, however, you may still choose to create and manage subscriptions using the existing API calls. Please note that in this model, Betfair will no longer prevent requests for a user with an expired or canceled subscription. You can choose what action to take based on information contained in the application_subscription field returned by the token operation. The available operations are the following: If you do use these calls to manage subscriptions, the token call will return information on the most relevant subscription (i.e. the subscription with the latest expiration date) as part of the application_subscription object. Flow DiagramSample CodeSample code that demonstrates the web apps interaction is available via https://github.com/betfair/sample-web-app-vendor/
|