Hello, I am trying to setup an API call using the Bubble API Connector. The API is for a service called Cratejoy (URL to documentation: http://docs.cratejoy.com/docs/authorization).
Here’s a screenshot of the API call I am attempting (with a fake Client ID and Client Secret Key used in the header).
However, no matter what I’ve tried it can’t seem to authorize properly. Any thoughts??
When you click “Initialize call”, what error message do you see?
I get the following error message:
Raw response for the API
Have you tried adding the authorization key to the header of the api call?
I am no API master, but I understood from the documentation that it should be in the header of every API call.
My read of the Cratejoy docs has me thinking you should be using HTTP Basic Auth for the authentication type, and then put your Client ID and Client Secret in the fields provided. It will handle the base64 encoding for you.
That or it’s an OAuth 2 type flow. The answer will be in the docs!
Thank you, @mebeingken! I tried it as an HTTP Basic Auth and that worked perfectly. I probably should have tried that on my own. I’m new to working with API’s.
One other question for the group. Is it possible to have my users input their username/password and initiate the API call using that information?
I understand how to store those variables. However, since the API Connection plugin is administered in the settings, I’m not sure how to pass that along. Would I need to forgo the plugin and code the call in the application itself if I’m using user provided logins?
Yes its possible, username/password can be combined into a single Bearer token, and passed on a header.
I recommend waiting to do this until server side encryption is available, or DIY if you’re comfortable with microservices, so the tokens aren’t stored in plaintext, and make sure the API call keeps the values server-side and secret from server logs.
Its easy to get this wrong and expose secrets to the end users browser, or to a Bubble developer/admin.
EDIT - if you can use OAuth2, its designed to allow end users access without your app storing their external app password.