We are happy to announce the release of version 1.0.0 of our OpenAPI, Quire uses OAuth 2.0 to authenticate requests between your app and your users. With OAuth, users can give you access to their Quire content without giving up their passwords.
This means that a user could authorize an app to access data or make changes to their Quire account and services that are exposed by the Quire API. For example, an app could create or delete tasks, post a comment, or alter an assignee, due, tags.
In order to use Quire API, you’ll need to create an Oauth app.
You’ll need to be logged in to your Quire account to create an app.
Go to the Quire developer app console and click on the Create new app button.
Choose the Quire Organization that your app belongs to, the organization members can view/edit all apps belongs to the selected organization.
Give your application a name and Redirect URL, we will discuss the role of the Redirect URL later. For now you can supply the following URL:
Click the Create new app button, your newly created OAuth application will be presented on the developer console page, allowing you to further configure it.
In summary, you should have these three bits of information:
Host your application configuration information in you app.
Generate an authorization url that you will redirect your users to Quire’s OAuth endpoint URI. This will show a web page where logged in Quire users can authorize your application to access their content.
An authorization link view example might look like:
state parameter is a random string used to prevent Cross-Site Request Forgery (CSRF) attacks. You should randomly generate a character string. It will be passed back to your app, unchanged, in Step 3. Your application should validate this value. Though it is optional, we strongly recommend including this parameter.
The OAuth 2.0 server responds to your application's access request by using the URL specified in the
If the user approves the access request, then the response contains an authorization code. If the user does not approve the request, the response contains an error message. The authorization code or error message that is returned to the web server appears on the query string, as shown below:
An error response:
An authorization code response:
A callback example might look like:
When the user is redirected back to your application redirect_uri, a code and state parameter will also be present in the querystring parameters. The state is your CSRF anti-forgery token to validate the request.
Extract the code and state from the query string parameters. The state may be validated at this point.
A validate example might look like:
Your application needs to make a
POST call to the token endpoint with the extracted authorization code and the request parameters in the below.
A request an access token example might look like this:
The access token you receive in response will be a JSON format.
The token should be kept carefully and permanently since you need it to access every Quire API.
Your app now has an access token that it can be used to make API calls on user's behalf.
Make the API call passing the access token as a bearer token in the header of the request.
An api call example might look like:
An access token intentionally is meant for short-term use only. This is an important security mechanism of OAuth 2.0. When using the Authorization Code Grant Flow, the access tokens have an one-hour lifetime by default.
When an access token expires, an HTTP 401 error will be returned:
Alternatively, your application could redirect the user to the authentication flow.
We hope by now you already know how to use Quire API! We can't wait to see the amazing apps that you will build for Quire! 😍