Xoxoday
  • 📓User Resources
    • 👨‍💼For Admins
      • 📌Getting Started
        • ⚙️Settings
          • Manage Super Admin/Admins
            • Hierarchy vs Non-Hierarchy
            • Threshold
            • Delete an Admin
            • Redemption APIs
              • Generic Redemption APIs
              • Oauth 2.0 Implementation for Stores Redemption
          • Platform Preferences
          • Account Verification
        • Types of Companies
      • 🚀Plum Launch Communication Kit
        • 🌉Pre-Launch Templates
        • 🤝Introduction to Plum Templates
        • 📺How to Sign up on Plum’s reward storefront Template
        • 📑How to Bookmark Plum’s reward storefront for easy access Template
        • 🎉How to Redeem the Rewards on Plum’s Reward Storefront?
      • Xoxo Points
        • 📌Getting Started
        • 🚚Distribution of Xoxo-points
        • 📩Email/SMS Customization
        • FAQs
      • Xoxo Codes
        • 📌Getting Started
        • 🚚Distribution of Xoxo-codes
        • 📩Email, SMS, and Xoxo Code Campaign Customization
        • FAQs
      • Points vs Codes
      • Xoxo Links
        • 📌Getting Started
        • 🚚Distribution of Xoxo-links
        • FAQs
      • Domain Authentication Guide
        • Troubleshooting Domain Authentication
      • 💰Add Funds
        • Base Currency
      • Campaigns
        • Getting Started
        • Editing a campaign?
        • Delete/disabling a Xoxo Campaign?
      • 🏬Reports
      • 💳Prepaid Card User Guide
        • Virtual Paypal International
          • 📌Getting Started
          • 📭How to Redeem?
        • Virtual Visa Card
          • 📌Getting Started
          • 💳How to Redeem?
      • 🔐Security and Compliance
        • Cryptography & Encryption
        • Email Whitelisting
        • Governance, Risk, & Data Compliance
        • Application,Dev & Security
        • Cloud Security
        • HR Compliance
        • Identity & Access Management
        • Solution Development
        • Security Operations
        • Training and Awareness
        • Vulnerability and Threat Management
        • Security Operations & Technical Capabilities and Support
        • Data Management
        • Policies & Procedures
        • Tax Compliance
        • Privacy Compliance
        • Cloud Security Alliance
        • Others
        • Documents
          • Data Security
          • Information Security
          • Admin/Business
          • Others
          • Finance Compliance
    • 🧑‍🤝‍🧑For End-Users
      • 📌Getting Started
      • 🧑‍💻Signing up/Logging in
      • 🪙How to redeem?
      • 💳Gift Vouchers
      • 🎁Gift Box Queries
      • 🚚Delivery Related Issues
      • 🛑Cancelation/Refunds
    • 🔗Pre-Built Integrations
      • Qualtrics Integration Guide
        • Using Qualtrics Workflow Extension to Send Rewards
        • Public Survey Rewarding
        • Anonymous Survey Rewarding
      • HubSpot + Plum
        • 1-1 Reward Widget in HubSpot
        • Workflow Based Reward Automation
        • 1-Many Link for Xoxolink’s Reward Automation
        • Email based Reward Automation
      • Darwinbox + Plum
      • SurveyMonkey + Plum
        • Public Survey Automation
        • Anonymous Survey Automation
      • Zapier + Plum
      • ActiveCampaign + Plum
        • Creating Automation
      • Salesforce + Plum
        • Getting Started with Xoxoday Plum
        • Getting Started and Setting up Salesforce Integration
        • Sending 1-1 Reward
        • Steps to create a Flow and add a Trigger
        • Redemption Journey for your Recipients
      • Typeform + Plum by Xoxoday
      • Zoho People + Plum
      • SAP Successfactors + Plum
        • SAP Client Registration with Xoxoday for Stores Redemption
      • Decipher - Forsta Integration
      • Zoho CRM
        • Send 1-1 rewards
        • Automation : Workflow Rules
      • Connect Plum to thousands of apps using Zapier
      • Other Integrations
    • 🛣️Product Roadmap
      • 2022
      • 2021
  • 👨‍💻Developer Resources
    • Rewards API
      • Getting started
      • API Endpoints
        • Authentication
          • Client ID, Secret ID, and Token Creation
          • Token Management
        • Catalog
          • GetVouchers API
          • GetFilters API
        • Orders
          • PlaceOrder API
          • GetOrderDetails API
          • GetOrderHistory API
        • Account Balance
          • GetBalance API
        • Postman Collection URL
      • Concepts
        • Staging Environment
        • Catalog
        • Error Handling
          • Standard HTTP status code summary
          • Errors related to API
        • Exchange Rates
      • Guides
        • Funding the Account
        • Reporting and Analytics
      • Webhooks
        • Test Webhooks
        • How to implement webhooks?
        • How to secure your webhooks?
      • Forex
      • Best Practices
      • Frequently Asked Questions
    • StoreFront Integration
      • Getting started
      • API Endpoints
        • Authorization
        • Token Creation & Token Management
        • SSO Redirection
        • End Points
      • Concepts
        • Points
      • Guides
        • Funding Account
        • Reports and Analytics
    • Xoxo Link API
    • Roadmap for 2021
  • 📅Release Notes
    • Release April 2023
    • Release March 2023
    • Release February 2023
    • Release December 2022
    • Release October 2022
    • Release September 2022
    • Release July 2022
    • Release May 2022
    • Release March 2022
    • Release February 2022
    • Release December 2021
    • Release November 2021
    • Release October 2021
    • Release September 2021
    • Release July 2021
    • Release May 2021
    • Release March 2021
    • Release December 2020
    • Release October 2020
    • Release September 2020
    • Release August 2020
    • Release June 2020
    • Release May 2020
    • Release April 2020
    • Release March 2020
Powered by GitBook
On this page
  • Access Token Generation
  • Parameters
  • Access Token generation from Refresh Token
  • Parameters
  • Access Token Validation

Was this helpful?

  1. Developer Resources
  2. StoreFront Integration
  3. API Endpoints

Token Creation & Token Management

PreviousAuthorizationNextSSO Redirection

Last updated 1 year ago

Was this helpful?

In this step as per OAuth protocol, the code received by the client in the step will be exchanged to get the access_token which is used for accessing the Xoxoday storefront granted based on the scopes allowed by the user.

Access Token Generation

The client server (As this request involves sensitive information i.e, client_secret) must make the following POST request to get the access_token.

curl -X POST {OAUTH_URL}/v1/oauth/token/company
-d '{
	"grant_type":"authorization_code",
	"code":"exxxx69660xxxxa6413c17d897xxxxx99",
	"redirect_uri":"{client_redirect_url}",
	"client_id":"{client_id}",
	"client_secret":"{client_secret}"
}

After validation of these parameters by Xoxoday server the successful response will be :

{
    "access_token": "eyJ0b2tlbkNvbnRlbnQiOnsiaXNzdWVkRm9yIjoiRnJlc2h3b3JrcyIsInNjb3BlIjoiIiwiaXNzdWVkQXQiOjE1NTk4MDQ1NTAxMzYsImV4cGlyZXNBdCI6IjIwMTktMDctMDZUMDc6MDI6MzAuMTM2WiIsInRva2VuX3R5cGUiOiJDT01QQU5ZIn0sImFfdCI6ImY3ZWM1MWMyYmE0ZGNmNzY2ZWE0ZDExMTI3ZjEzZjQzZjAwZmNhN2EifQ==",
    "token_type": "bearer",
    "expires_in": 2592000,
    "refresh_token": "064be187f42e9238122ef9d7a985c8800dff3752",
    "email":"email@example.com" //This is the email of the user who allowed access
}

Parameters

Body Parameters

Parameters

Description

token_type*

grant_type*

Although Oauth supports different grant_type values. The values supported by Xoxoday is authorization_code, refresh_token.

code*

client_id*

redirect_uri*

client_secret*

Body Parameters

Parameters

Type

Description

access_token

Bearer

It can be used by client to access the API of xoxoday.

token_type

Bearer

It must be passed in the Authorization header.

expires_in

The duration (in seconds) for which access_token is valid. The default user session lasts for 15 days. The default company session lasts for 30 days.

refresh_token

Bearer

The value with which client can regenerate expired access_token. This refresh token for the user session lasts for 30 days and refresh token for company session lasts for 60 days.

Access Token generation from Refresh Token

Upon Expiry the access token can be regenrated using the response token using the following request:

curl -X POST {OAUTH_URL}/v1/oauth/token/company
  -d '{
  "grant_type":"refresh_token",
  "refresh_token":"064be187f42e9238122ef9d7a985c8800dff3752",
  "client_id":"xxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "client_secret":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

After validation of these parameters by Xoxoday server the successful response will be :

{
    "access_token": "eysdkhsdbjbdfsNvbnRlbnQiOnsiaXNzdWVkRm9yIjoiRnJlc2h3b3JrcyIsInNjb3BlIjoiIiwiaXNzdWVkQXQiOjE1NTk4MDQ1NTAxMzYsImV4cGlyZXNBdCI6IjIwMTktMDctMDZUMDc6MDI6MzAuMTM2WiIsInRva2VuX3R5cGUiOiJDT01QQU5ZIn0sImFfdCI6ImY3ZWM1MWMyYmE0ZGNmNzY2ZWE0ZDExMTI3ZjEzZjQzZjAwZmNhsdjhfbsfdjblfs",
    "token_type": "bearer",
    "expires_in": 2592000,
    "refresh_token": "sdff064be187f42e9238122ef9d7a985c8800dff3752"
}

Parameters

Body Parameters

Parameters

Description

grant_type*

Although Oauth supports different grant_type values. The values supported by Xoxoday is authorization_code, refresh_token.

client_id*

client_secret*

refresh_token*

The value with which client can regenerate expired access_token. This refresh token for the user session lasts for 30 days and refresh token for company session lasts for 60 days.

Body Parameters

Parameters

Type

Description

access_token

Bearer

It can be used by client to access the API of xoxoday.

token_type

Bearer

It must be passed in the Authorization header.

expires_in

The duration (in seconds) for which access_token is valid. The default user session lasts for 15 days. The default company session lasts for 30 days.

refresh_token

Bearer

The value with which client can regenerate expired access_token. This refresh token for the user session lasts for 30 days and refresh token for company session lasts for 60 days.

Note In the above response refresh_token is newly generated again. So the client-server must replace the old refresh token with this new refresh token.

Access Token Validation

For verifying at any point in the app if the token is valid/not, call below endpoint.

curl -X GET {OAUTH_URL}/v1/oauth/token
-H 'Authorization: Bearer eyJ0b2tlbkNvbnRlbnQiOnsiaXNzdWVkRm9yIjoiRnJlc2h3b3JrcyIsInNjb3BlIjoiIiwiaXNzdWVkQXQiOjE1NTk4MDQ1Nzg1ODIsImV4cGlyZXNBdCI6IjIwMTktMDYtMjFUMDc6MDI6NTguNTgyWiIsInRva2VuX3R5cGUiOiJ'

200: Success

{
    "access_token": "eyJ0b2tlbkNvbnRlbnQiOnsiaXNzdWVkRm9yIjoiRnJlc2h3b3JrcyIsInNjb3BlIjoiIiwiaXNzdWVkQXQiOjE1NTk4MDQ1Nzg1ODIsImV4cGlyZXNBdCI6IjIwMTktMDYtMjFUMDc6MDI6NTguNTgyWiIsInRva2VuX3R5cGUiOiJ",
    "token_type": "bearer",
    "expires_in": 1291911023
}

400: Failure

Token has expired.

{
    "error": "invalid_token",
    "error_description": "invalid/expired token"
}

The token_type can be two values. They are company or user. If the request in the step was for the company session creation then token_type value is the company or if the request in the step was for user session creation then token_type value is the user.

Authorization codes expires in 5 mins after creation. This is the temporary code value which client has obtained after .

This is the client_id value that one receives upon registration in step.

The URL must match what you have shared during the time of .

This is the client_secret value that one receives upon registration in step.

Diagrammatic Representation for & .

This is the client_id value that one receives upon registration in step.

This is the client_secret value that one receives upon registration in step.

While the expiry is 30 days for the access_token and 60 days for the refresh_token, Xoxoday recommends polling the API on every 4xx error to ensure no downtime in case of a token invalidation before the 30-day expiry.

Diagrammatic Representation for .

👨‍💻
authorization
Authorization
Access Token generation
Access Token generation from Refresh Token
Access Token regeneration
authorization
authorization
Getting Started
Getting Started
Getting Started
Getting Started
company registration