Authentication
Last updated
Last updated
ClearXP supports the flow to allow third-party server-side applications to make requests on behalf of a user. This flow includes the following steps:
Your app will make a request to /auth/oauth/authorize
Log into your ClearXP admin account to authorise the integration. The webpage will redirect back to your server with a single-use code
.
A request can be made to /auth/oauth/token
to exchange the code
for an access_token
and refresh_token
The access_token
can now be used to make requests to the ClearXP API.
These steps will be outlined in more detail below.
Your server should make a full page request to the following URL:
This will load ClearXP's authentication screen.
You will need to log into an admin account with appropriate permissions to authorise the integration. Once done, the browser will redirect back to YOUR_REDIRECT_URI
and append a code
query parameter that will be used in the next step.
The code
is a single-use token that can be exchanged for an access_token
that can be used to authenticate API requests. The code
expires after 10 minutes so should be exchanged immediately.
After receiving the request to YOUR_REDIRECT_URI
, your server will need to read the code
query parameter and include it in the following back-end request:
If all parameters are valid, you will receive a response that looks like the following:
From your server-side application, you can now make API requests using your access_token
. This should include the token you've just received as well as your tenant ID:
Since access tokens expire after 1 hour, you will either need to reauthenticate the user for further requests or generate a new access_token
using the refresh_token
. This can be done by calling the following endpoint from your server-side application:
For long-lived integrations, you may need to periodically refresh the access_token
using an automated task to keep the integration alive.
Username: Your API Key
Password: Your API Secret
If building the HTTP request by hand, you will need to follow the Basic Auth specification to convert your username and password to a token that can be sent within the authorization HTTP header.
In the above example, the token is a base64 encoding of key:secret
Note that the access_token
can be used to make requests to the ClearXP API but expires after an hour. A new token can be issued by using the refresh_token
(see below).
Basic Authentication is deprecated and we now recommend all third party applications upgrade to for improved security.
ClearXP supports the header when authenticating HTTP requests. If using a client library for building the authentication header, you will need to enter the following as the username and password for the request:
When content is launched from the LRS, a short-lived token will be automatically generated and supplied for the learner that launched the content. This token should be used as the value for the authorization header as demonstrated above. Read more about this mechanism in the section.