Authentication

Overview

Ordoo uses OAuth 2.0 for authentication with the Authorization Code grant type.

This guide outlines when to use the Authorization Code grant type and how to securely authenticate an Ordoo user with this method.

Authenticating a user with Ordoo

Once you have an Ordoo Application you can direct your customers to a link that will allow them to authenticate themselves with Ordoo.

The URL that should be linked is:

https://app.ordoo.co.uk/oauth/authorize?
client_id=<CLIENT_ID>
&redirect_uri=<REDIRECT_URI>
&response_type=code
&scope=<SCOPES_SEPERATED_BY_A_PLUS>

For example:

https://app.ordoo.co.uk/oauth/authorize?client_id=abc123&redirect_uri=https://example.com/callback/ordoo&response_type=code&scope=read_orders+read_menu+write_menu+write_orders+read_stores+write_stores

The link behaviour should be obvious to customers we recommend using the image you see below.

Upon authenticating the users browser will be redirected to the URI that you specified in your application. The parameter code will be appended to the to the URI. For example this might look like:

https://example.com/auth/ordoo/callback?code={authorization_code}

Finally, you can exchange this authorization_code with Ordoo for a user access token.

POST /oauth/token HTTP/1.1
Host: app.ordoo.co.uk
grant_type=authorization_code
&code={authorization_code}
&client_id={client_id}
&client_secret={client_id}
&redirect_uri=urn:ietf:wg:oauth:2.0:oob

The returned JSON should look something like this:

{
"access_token": "{access_token}",
"token_type": "Bearer",
"expires_in": 21600,
"refresh_token": "{refresh_token}",
"created_at": 1568127860
}

The access_token and refresh_token can now be used to access all other API endpoints where permission is granted.

You can read more about Authorization Code Request here.

Making authenticated requests

By this point you should have an access_token and refresh_token for the account your authenticating with. Requests to an endpoint that requires authentication should include the access_token in the Authorization header as such:

GET /stores/{store_id}/orders HTTP/1.1
Authorization: Bearer {access_token}"
Host: api.ordoo.app

If your access_token is valid you'll get a successful response. However if it is expired you may need to exchange it for a new one by using the refresh_token. You can find out more about this here.