Authorization

Access Tokens

The Whisk APIs are HTTP-based RESTful APIs that use flavor of OAuth 2.0 for authorization. API request and response bodies are formatted in JSON.

At the moment only server-to-server Authorization is supported. You'll need an Access Token if you want to use the Whisk API from your backend.

Note: To get a Management Token, contact [email protected]
Issued token plays role of ApiKey and need to be stored securely. It should be used only from servers (not browsers or devices)

Using Access Tokens

To use your Access Token simply provide it as part of the authorization header when you make a request. Access Tokens use the bearer authorization header when you make a request. This just means you need to specify the bearer type in the header.

This sample request uses a bearer token to access Whisk feed:

curl "https://graph.whisk.com/v1beta/feed" \ -H "Accept: application/json" \ -H "Authorization: Bearer <Access-Token>"

Anonymous Access from Client Apps

You can't use app management token from client apps for security reasons. Therefore to support serverless apps, Whisk provides alternative mechanism

Note: For browser applications you need to provide list of domains which will be whitelisted

Client application can request short-lived token to access API and keep reference for user

curl "https://graph.whisk.com/v1beta/auth/access_token" \ -H "Accept: application/json" \ -d '{ "client_id": "<YOUR-APP-ID>", "grant_type": "anonymous" }'

Example response:

{ "access_token": "Xb609ErrcoRNwll9wwxbk70OxFrbxEOu8Ui8ZzV4yJDA9RvLRGFhlMAAfkP2OmSS", "expires_in": 86400, "token_type": "Bearer", "refresh_token": "oS1437tty6buHTef0VGkXgcR7PvOt2DDUntSjWaCtDqJX8osK7d3Mip38NjpJdTH" }

Then access_token from response can be used for communication from client app. This Access Token is bound to specific userId in Whisk Platform

You should respect expires_in time in seconds. For short-lived tokens it is usually 1 day. On token expiration you can use refresh_token to request new Access Token which will be bound to the same user.

curl "https://graph.whisk.com/v1beta/auth/access_token" \ -H "Accept: application/json" \ -d '{ "client_id": "<YOUR-APP-ID>", "grant_type": "refresh_token", "refresh_token": "oS1437tty6buHTef0VGkXgcR7PvOt2DDUntSjWaCtDqJX8osK7d3Mip38NjpJdTH" }'

This will provide new AccessToken