I'm using WhatsApp Cloud API Integration for our company use case and all functionality will be server-to-server API call and I have to generate a Permanent token to call the WhatsApp API to send the message. I have submitted a request to get advance access to whatsapp_business_messaging but it got rejected as we do not have any frontend UI to showcase the implementation. Facebook support team said I do not need advance access if we are implementing WhatsApp API for our own use case. We have also generated the permanent key by creating a system user from the Facebook Business dashboard but the API throws an error that this key does not have permission.
Please guide me on how can a get approval or get a permanent access token to use the WhatsApp Cloud API Integration.
Thank you in advance
On your business setting go to the User(left side menu) and create a system user there. and there you can create the permanent access token.
Related
I requested RefreshToken from my customer to develop a web page for them by using google adwords Api. They responded my request like that ->
There is no need for Refresh Token to use Google Adwords Api.
Could you please answer me if it is possible or not? If it is possible how we can use Google Adwords Api without RefreshToken?
You only need an access token to access the adwords api that will expire after an hour. You could probably use a service account authentication. If they do give you a refreshToken remember you will also need the client id and secret used to create it in order to get the access token.
It is a also against Google terms of use to share the client credentials. You will need to create your own project and have them authenticate it when they need to access their data. You will then have a refreshToken.
I have to develop a RESTful API for a mobile application and I have some concerns about the flow of the communication between those parts. I'm new to the API development for mobile devices and OAuth.
The project in common should work this way:
users are allowed to login using only their Google accounts
the mobile application uses the website API and all the information is stored on the backend
I found a similar question here OAuth on REST API for mobile app and I prefer the first solution from it, but I have some questions about the security of this solution.
1) Should I use OAuth2 for the API? I'm not sure it's a good idea just to send the user's Google ID to the API to get user's data.
2) How can I check on the server that the Google ID is correct and actual? Or it's not important at all?
I'm thinking about this scenario, but I'm not sure it's the best solution:
1) The user logs in on the mobile application for the first time using his Google Account.
2) The mobile application receives Google ID and some additional information.
3) The mobile application sends the Google ID to the server.
4) The server uses OAuth2. It creates an account for the user (saving the Google ID in the database) and returns an access token to the mobile application.
5) The mobile application stores the access token locally and uses it for requests to the server. Once the access token expires, the user has to login in the mobile application again using his Google account.
I have some concerns about using just Google ID for generating a token. I mean, anybody can just use somebody's Google ID to create a token. Bad idea :(
Also should I use JWT better as a token?
Thanks for your help!
You should send the user's id_token to the API instead
There are a couple of different ways in which you can validate the integrity of the ID token on the server side:
a) "Manually" - constantly download Google's public keys, verify signature and then each and every field, including the iss one; the main advantage (albeit a small one in my opinion) I see here is that you can minimize the number of requests sent to Google.
b) "Automatically" - do a GET on Google's endpoint to verify this token
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={0}
c) Using a Google API Client Library.
As for the workflow, it's mostly correct, except for the last step, where you can instead refresh an access token without prompting the user for permission. Btw, Google's id_token is actually a JWT.
I am trying to access YouTube Reporting API with a service account. But I am getting a 403 forbidden when trying to do youtubeReporting.jobs().list().execute().
YouTube Reporting API clearly supposed Server-to-server interaction.
Do I need to grant access to Youtube Reporting API for a google service account? If so, how?
FYI : I am not using google app domain.
You could create service credentials in the google console, but those credentials won't fix your issue. According to the docs,
The service account flow supports server-to-server interactions that do not access user information. However, the YouTube Reporting API and YouTube Analytics API do not support this flow. Since there is no way to link a Service Account to a YouTube account, attempts to authorize requests with this flow will generate an error.
It is p counter-intuitive-- (not to mention hard to locate)-- this info esp. since conceptually related YT APIs utilize service accounts, see here, and the reporting api actions wouldn't seem to need to be associated w/ a specific user account.
Unfortunately, if you use a service account for the Youtube Reporting API you will still end up with a 403 unauthorized caller error.
Instead, create and use web client google credentials. Store and use the token generated from the flow.
You can do that in the Cloud Platform Console. See https://support.google.com/cloud/answer/6158841?hl=en for details
I have a site that I have tagged using Google Analytics. I can see that the stats are being created and I can analyse them using Google Analytics web tool.
I want to extract my tagging data using the Google Analytics API but all the instructions seem to point me towards the developers console to create my OAuth2 token. My site does not appear in the list of apps that is presented, so I can't do the next step of generating my OAuth2 token.
I feel like I must be missing something obvious, but I am hitting brick wall at the moment. How do I get the site to appear so I can see it in the developers console?
The Google Developer console is for registering your application, this way google knows who is using there APIs. Your Google analytics account wont show up here because well that's not how it works.
Create a new project you will get a client_id and client secrete that are used to identify your application. Then you use a programming language to access the API using the client id and client secret.
I am not a java programmer so i cant help you with that. You mentioned that you want to access your own data. I recommend you look in to using a service account. A service account can be used to grant authentication without having to prompt a user for access. This only works when it is your own account you are accessing and the data doesn't belong to another user. Take the service account email address and add it as a user in google analytics at the ACCOUNT level it must be the Account level. then when you use the service account in your code you will have access.
https://developers.google.com/analytics/devguides/reporting/core/v3/quickstart/service-java
In our company we run a number of different websites which are being tracked with Google Analytics (GA). Up to this point we have been using the Login protocol and GData to access GA data to display the data nicely on our custom web application dash boarded which we use for tracking traffic on our sites.
Nowadays Google has Google API Console which lets you track your API usage. We want to take advantage of this service to view howmuch APIs we consume. However from what we can understand it requires us to use OAuth for authentication instead of the username and password we currently use to access the data. We don't like OAuth because it redirects the user to Google for authentication when currently the user has no need to know about where the data is coming from and what credentials are needed.
Is there anyway that we could make Google API Console monitor our usage without having to switch from GData and the Login protocol?
You can switch to the OAuth 2 protocol and use a refresh token for offline access. Once you get the refresh token, you can save it to a file or database and use that to access the data without an authorization redirect.
See the docs here: https://developers.google.com/accounts/docs/OAuth2InstalledApp#refresh
Also see where there is discussion of using the refresh token: How can we access specific Google Analytics account data using API?