All Radio Workflow API's use OAuth2 specifications to authenticate a request. You should, if not already, become familair with this. Authorization is received by performing the "Authorization Code" version of authorization as specified in section 4.1 of RFC 6749. This will issue you a short-lived, single-use code that you will be able to exchange for an
refresh_token for the Instance.
|If you do not have these, then sign up and create them within the Partner Portal.
What is an Instance?
Our customers data is in an isolated instance, which means that one of our customers cannot access and see another customers data. For example, Desert Broadcasters is only able to see Desert Broadcasters, your
access_tokengranted by Desert Broadcasters can only view data in their instance.
Requests to the token and the refreshToken endpoints do not require an
access_token, but they both require a Basic Authorization header containing your PartnerKey as well as your PartnerSecret. Refer to Client side here for more information on how to construct a Basic Authorization header.
Keep your Partner Secret secure
We will never require and you should ensure you never expose your Partner Secret in any query paramaters, doing so is a security risk.
Construct and redirect your users to the authorize endpoint, the user will then grant you the required scopes to be able to interface with our API's.
The constructed URL should look like this
You can request multiple scopes by supplying a space-delimited (but url-safe) list of scopes in your authorize request. It will look like this: &scope=
Once the user has granted your access to their Radio Workflow instance, they will be redirected to your Partner Redirect URI. You will be able to access a new authorization code in the query parameters of the request.
We redirect the user back to your website
Now that you have your
authorization code, you can exchange it for an
access_token by making a request to the token endpoint. When you receive your
access_token, you will also be given a
refresh_token as well. Be aware, your
access_token is short lived, whereas your
refresh_token lives longer and can be used in exchange of a new
Other Grant Types
We have further authentication options available for trusted Partners and where the below authentication flow doesn't fit in well with your application. To become a trusted Partner, you must go through a review process with us to ensure that our customers data is protected.