User Authorization
Setting Up OAuth 2.0
UserTesting APIs will require the OAuth 2.0 protocol to implement authentication and authorization.
Step 1
All apps consuming UserTesting APIs must be set up with the authorization flow so users can authorize the apps and provide permission to connect to their UserTesting accounts.
Building Authorization link
To prompt a user for authorization, you’ll first need to build an authorization request link. This link requires the authorization base URL, a client_id, a client_secret and a redirect_uri:
https://auth.usertesting.com/oauth2/<guid>/v1/authorize
?client_id=<your_client_id>
&client_secret=<your_client_secret>
&redirect_uri=<your_redirect_uri>
&scope=<scope>
Field | Value |
---|---|
Base URL (guid) | You will receive the Base URL to use for authorization during onboarding following your App Registration. |
client_id & client_secret | client_id and client_secret are generated during App Registration and available under Applications page on UserTesting Developer Portal |
redirect_uri | The redirect_uri is the URI of the page that you want to load after the user has completed authorization. You will need to configure this under your Application Settings. |
scope | UserTesting REST APIs provide user access control through scopes. Scopes define the permissions your app requires to interact with a UserTesting resource. You can select the scopes that your app requires when you request an Authorization token. This could be multiple space-delimited values. UserTesting scopes contain a resource type and a read or write permission. For example, a scope of clips:read allows read-only access to clips. |
User Signs In to UserTesting
After creating authorization request link, your app directs the user to that link so that the user can sign in to their UserTesting account with their UserTesting credentials.
Step 2
If users signs in successfully, our UserTesting OAuth 2.0 Server sends an authorization code back to your app. The authorization code provided in the redirect URI can only be exchanged once and expires x minutes after issuance.
Step 3
Your app exchanges this code for access tokens by calling Access Token endpoint.
Your app includes your client ID, client secret, and redirect URI along with authorization code received in Step 2 above. These values confirm the identity of your application so that an access token can be issued.
curl --request POST
--url 'https://auth.usertesting.com/oauth2/<guid>/v1/token
?grant_type=authorization_code
&client_id=<your_client_id>
&client_secret=<your_client_secret>
&code=<authorization_code>
&redirect_uri=<your_redirect_uri>
The response includes the access token, refresh token, the scopes associated with the token, an expiration time & more information.
{
"refresh_token": "eyJraWQiOiJLVGpGRmowU0JfNUZPM2htTU5pcXJTVUNQdTlIbUwLPm0fdLKfxgZw",
"access_token": "eyWeXRGT3BBodHRwczovL2F1dGgtc3RhZ2luZy51c2VydGVzdGluZy5jb20vb2F1dGgy",
"expires_in": 125,
"scope": "clips::read",
"token_type": "bearer"
}
Step 4
These tokens are tied to your users’ now authorized UserTesting accounts.
Using the OAuth Token
You can now use the token for making REST API requests by passing the token in the Authorization header.
For example, below is a sample request for calling GET /clips endpoint:
curl --location --request GET 'https://cloudhub-prod.usertesting.com/usertesting/api/v1/clip?uuid=0cd3f2a2-3771-43c9-beee-87e9fd145a94' \
--header 'client_secret: 294598cvjvcidfjd843eh4hdfC11' \
--header 'client_id: 83eu4njh5j546k54ol54jk5j5j5kjk5k' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJraWQiOiJLV9rxI9fnaWhqNr4My5gHGFlR-1b0JFSrEkrZCbDN3bgQh9WRSE1lLPm0fdLKfxgZw'
Updated about 2 years ago