StatPro Revolution Web API


Authorization using OAuth2


Special Notice: The API Authorization Management website will cease to exist from the end of Q1 2019. See more details in the Change Log.


Introduction

The StatPro Revolution Web API uses the OAuth 2.0 Authorization Framework for user authentication and authorization.

OAuth 2.0 significantly improves upon older authentication methods such as HTTP Basic Authentication and HTTP Digest Authentication in that:-

  1. a user isn't required to submit his/her credentials to client applications;
  2. users are in control of their authorizations, and can revoke access by an application at any time;
  3. target Resource Servers (such as the Revolution Web API) don't have to validate user credentials and check user permissions on each and every request, significantly improving their speed of operation.

OAuth 2.0 improves upon OAuth 1.0 in that the use of Bearer Access Tokens and the mandated use of HTTPS endpoints means that the complexities of cryptographic signatures (required by OAuth 1.0) are removed. OAuth 2.0 is rapidly becoming the de facto way of providing authentication and authorization for secure Web APIs.

There can be no doubt that the use of OAuth2 adds significant conceptual overhead over and above (say) HTTP Basic Authentication, where all an app needed to specify was the following request header:-

Authorization: Basic base64(username:password)

The good news is that:-

  • once learned for one API, OAuth2 knowledge can be applied to all compliant APIs;
  • StatPro's implementation of OAuth2 is based on the final OAuth2 specifications;
  • StatPro's implementation is based on a clearly-defined subset of the OAuth 2.0 Framework specification.

The following Topics pages should be read in the following order, to gain a full understanding of OAuth 2.0 authorization for the Revolution Web API.


Authorization topics

Overview

Registering a client application

Server-Side Web applications

Native applications

Batch applications

Tenancy selection and tenancy information

Using Data Feed User accounts for batch access

Token Revocation


Last updated: October 2018


To Top