API Auth Mgmt Termination

The API Authorization Management website is now deprecated

The API Authorization Management website no longer served a purpose, and became unavailable from the middle of May 2019.

Previously the website provided the following functionality:-

  • Create batch authorizations
  • View Fair Usage statistics
  • View which resource services you have access to
  • Dictate which users could use Revolution-i
  • View and/or revoke outstanding authorizations

The following sections deal with each of these topics.

Create batch authorizations

The ability to create batch authorizations was removed from the website in June 2017. Instead, Data Feed User accounts are now used for all new batch authorizations. These accounts and their Revolution Web API batch authorizations are created by StatPro. For more details see:-

View Fair Usage statistics

The Web API’s original Fair Usage Policy was removed in March 2018. Accordingly, the screens provided by the website to monitor usage statistics wrt the old Fair Usage Policy became redundant. For more details see:-

View which resource services you have access to

In practice this wasn’t very useful, as the Revolution Web API was the one and only resource service.

Dictate which users could use Revolution-i

For organizations that have purchased licenses for the StatPro Revolution-i application, the website was used to set up which specific users were allowed to use Revolution-i. We now employ a less prescriptive method that monitors usage; if usage is excessive, organizations are requested to purchase additional licenses.

View and/or revoke outstanding authorizations

The OAuth 2.0 Authorization Framework, employed for access to the Revolution Web API, places importance on the idea that users are in charge of their per-application authorizations. In practice this means that users should be able to view what authorizations they have granted in the past to various different applications, and to revoke them if necessary. Having revoked an authorization, the application in question would be forced to re-prompt the user to grant access, before being able to retrieve his/her data from the Web API again.

In accordance with this principle, the website allowed users to view and/or revoke their outstanding per-application authorizations.

With the introduction of Data Feed Users for access to batch applications in February 2017, the ability to view and revoke came to pertain increasingly to interactive applications (such as Revolution-i Interactive, the Revolution Excel Add-in and the Revolution Web API Explorer website).

However, the ability for interactive users to log in to the website and view / revoke authorizations was redundant (to a certain extent) because doing so wasn’t actually necessary for many applications. If an application prompts you to grant access to your Web API data each and every time you open it and start using it, then you don’t need revoke the authorization (displayed in the website) to deny it access.

In practice, what applications (such as the Revolution Web API Explorer) are doing when they have to prompt you for access each time is not retaining the refresh token between application sessions. The refresh token - and its retention between application sessions - is what gives the app the ability to continue to access your data after you have granted it permission just once.

StatPro now advise the authors of applications that retain the refresh token to:-

  • advertise this fact to its users
  • provide the ability for a user to tell the application to revoke access to his/her data
  • invoke StatPro’s new Token Revocation endpoint to revoke the refresh token.

For more details see:-

Last updated: March 2019