I am building a intergration in Zapier (not a ZAP) to retrive dat from Monday.com Monday uses an API key that is required to be passed in the header to authenticate requests.
In Zapier developer I have set up the authentication as API Key. I have set up a field api_key for the user to add their key.
I have set up the test get request and in the HTTP Headers tab have added the api_key
When I send the reqest authentication fails with the folloaing error
authentication failed: The app returned "Not Authenticated". What happened (You are seeing this because you are an admin): Stack trace: ResponseError: {"status":401,"headers":{"content-type":"application/json; charset=utf-8"},"content":"{"errors":["Not Authenticated"]}","request":{"url":"https://api.monday.com/v2?query=%7Bme%7B%7D%7D"}} at
The Authentication code is
I think the issue is that you are sending API key as api_token header.
You need to send this API key as "Authorization" header of your request to monday.com.
example
Related
I have a server that at (site.com/api/v1/auth)
sends user data with the GET parameter.
I have a login and password for authorization, in return the server sends me a unique key. That is, after each successful authorization - the API key changes.
Here is the instruction, but I don't understand how to set it up correctly in Postman to check.
https://app.swaggerhub.com/apis-docs/pixel3655/democontent2.pi/1.0.0-oas3#/user/auth
You need to send X-PI-EMAIL and X-PI-PASSWORD in the headers of the auth endpoint.
Then in the Tests section of the auth endpoint you can inject the id into your environment variables.
pm.environment.set("currentId", pm.response.json().result.id);
and use it on the other API requests by adding a header of X-PI-KEY and a value of {{currentId}}.
I followed the Sonos docs for adding app authentication and the page for using authentication tokens and the result is that the SMAPI server correctly returns an authToken together with a privateKey back to the controller. I can see the authToken being present in the credentials header inside the SOAP messages sent to my SMAPI server.
However, despite the many mentions of this inside the Sonos docs pages related to HTTP requests (I will list the resources links down below), the same authToken is not being sent inside the HTTP header Authorization, this making my CQ server unable to validate requester identity.
I tried the following, without success:
checking "Requires authorization header" capability in the customsd page of my Sonos device (I tried this because the docs page about capabilities precisely indicates that checking this "Sends OAuth token in the HTTP Authorization header.")
identifying some correlation between the "X-Sonos-" prefix HTTP headers used when the controller sends SOAP messages to my SMAPI server and the "X-Sonos-" prefix HTTP headers used when the device sends HTTP requests to my CQ server (eventually, I could not find any information that would identify the user based on this)
From Sonos device:
X-Sonos-Playback-Id: RINCON_48??????D201400:3165321802 <= deviceId inserted after RINCON_
X-Sonos-Device-Id: Sonos_U????????????????????????6 <= householdId
X-Sonos-Corr-Id: 267e3e0c-75ca-4b9d-8be4-b8a795a462a3 <= unique each time
From macOS Controller:
X-Sonos-Controller-ID: 68:??:??:??:??:07 <= the same each time
X-Sonos-Api-Key: 8??????e-7??7-4??f-b??6-7??????????0 <= the same each time
X-Sonos-Corr-Id: 648ec896-e043-44f8-bfba-cd0a80c9d857 <= unique each time
checking both "Include SMAPI context headers with all requests" and "Include Zone Player IDs in credentials header" capabilities in the customsd page of my Sonos device (I tried this following the answer to this sonos tagged stackoverflow question Now that device ID is deprecated, is there another way to identify the client?)
The docs links I mentioned above that refer the presence of the auth token inside the HTTP Authorization header are the following:
the GET /context CQ API method page says to return 401 Unauthorized when "The access token has expired or is invalid."
the GET /itemWindows CQ API method page says "the player can use this API to obtain a new access token in the response from your cloud queue server" and "The request contains the access token in the authorization header" and "If the access token is set to expire soon, an updated one is included in the X-Updated-Authorization header of the response"
the POST /timePlayed CQ API method page says "The request header contains the access token in the authorization header" and that the method returns ERROR_SONOS_TOKEN_EXPIRED when "SMAPI OAuth token is expired, and user must re-authorize the account"
the GET /version CQ API method page says again that "The request contains the access token in the authorization header" and talks about a now deprecated updateToken parameter and also says that "If the access token is set to expire soon, you should include an updated token in the X-Updated-Authorization header."
But the most clear mention is in the page about HTTP requests, because it's not particular just for the CQ API endpoints but for all HTTP endpoints, even those hosted by the SMAPI server itself. The page reads the following 2 excerpts:
and
To conclude, with so many mentions of it in the official Sonos docs, why isn't this essential header being transmitted in the HTTP Authorization header? And how should a CQ verify the identity of the requester without the presence of this authToken on each API method request?
The auth token is sensitive information and will not be included in the HTTP headers if it's being sent to an endpoint that is insecure.
Try again with your CQ server behind an https:// address.
If I follow you correctly, the token is passed in the header under loginToken, see https://developer.sonos.com/build/content-service-add-features/add-authentication/use-authentication-tokens/
This is not an http header, this is a section of the SOAP envelope. Like this:
I am trying to integrate a third party API. I was provided with a username and password.
When I use Postman to send a post request to the login webpage; the request header contains a postman token:
Postman-Token: vvvvvvvvv-wwwww-xxxx-yyyy-zzzzzzzzzz //this is not the real value
If I supply the postman token to every request after the login request (as shown below) then everything still works as expected:
If I access the api through my webpage, then everything also works as expected. My questions are:
What is the Postman token? I have looked already here: https://stackoverflow.com/questions/36883046/what-is-the-postman-token-header-attribute-in-generated-code-from-postman#:~:text=1%20Answer&text=This%20is%20primarily%20used%20to,random%20token%20avoids%20this%20issue.
What is the alternative to the Postman token when accessing the API though a webpage. I can see no token in the request when looking at it using Fiddler. Were is the bearer token in Fiddler?
Postman Token :
So it is just a custom header to track and debug postman requests in the receiving server
It doesn't do any authorization
Why no token in fiddler:
Because you haven't added it . You can add any custom header to the request you are sending
Why it works when used as bearer token
Because in your login call your session is cached . So for subsequent requests it is using cached session
To close the session , update the Connection header from keep-alive to close
Try setting second request to no auth:
and see if the request is still successful to confirm you are using cached session
I've registered as a developer with eBay and created an app.
I generated an Oauth (not Auth'n'Auth)
Using Postman to generate a simple request (image) and recieving an error for token invalidity
Error: Invalid access token. Check the value of the Authorization HTTP request header.
What am I doing wrong here?
If your token is for "sandbox" environment, make sure you use sandbox API endpoints for your requests as well.
Instead of https://api.ebay.com/buy/browse/v1/...,
try https://api.sandbox.ebay.com/buy/browse/v1/....
One of the issues which might have happened is:
The access token might have expired
Use the refresh token to refresh the access token when it expires — you know when to do this when your call to the API returns a status code of 401 and the above body you saw in Postman.
We are using App Service Authentication to protect a web API and using Google as authentication provider. It works as expected when we fire a request from a browser (when the session information is in the cookie)
IIS log:
2016-05-29T13:51:19 PID[3600] Verbose Received request: GET
https://XXXXXX.azurewebsites.net/api/user 2016-05-29T13:51:19
PID[3600] Verbose Found 'AppServiceAuthSession' cookie for site
'XXXXXX.azurewebsites.net'. Length: 728. 2016-05-29T13:51:19
PID[3600] Verbose Authenticated XXXXXX#gmail.com successfully
using 'Session Cookie' authentication.
But when we use API testing tool such as Postman and set the Authorization header with bearer token, it always results in redirection.
IIS log:
2016-05-29T13:53:38 PID[3600] Verbose Received request: POST
https://XXXXX.azurewebsites.net/api/user 2016-05-29T13:53:38
PID[3600] Information Redirecting:
https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=XXXXXXX-XXXXX7attpunn9smo4.apps.googleusercontent.com&redirect_uri=https%3A%2F%2FXXXXXX.azurewebsites.net%2F.auth%2Flogin%2Fgoogle%2Fcallback&scope=openid+profile+email&state=nonce%3De5f4aabe11cb4544bf18d00920940d47_20160529135838%26redir%3D%2Fapi%2Fuser
We also tried to set X-ZUMO-AUTH header with the same bearer token, we see error as the token is not in expected format. Apparently it expects encoded JWT token.
IIS log:
016-05-29T13:51:52 PID[3600] Verbose Received request: POST
https://XXXXXX.azurewebsites.net/api/user 2016-05-29T13:51:52
PID[3600] Warning JWT validation failed: IDX10708:
'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this
string: 'Bearer
ya29.XXXXXXXXXX_RDrX_zsuvMx49e_9QS5ECz9F1yhDHe5j4H9gRN6opkjLXvN1IJZjHXa_Q'.
The string needs to be in compact JSON format, which is of the form:
'..'.. 2016-05-29T13:51:52 PID[3600]
Information Redirecting:
https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=XXXXXXX-k5nj6dkf987attpunn9smo4.apps.googleusercontent.com&redirect_uri=https%3A%2F%2FXXXXXX.azurewebsites.net%2F.auth%2Flogin%2Fgoogle%2Fcallback&scope=openid+profile+email&state=nonce%3De15b0915406142378XXXXX_20160529135652%26redir%3D%2Fapi%2Fuser
Note:
Bearer token obtained from Google is valid as we can verify the detail by making call to
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=[token]
Please suggest.
The Google token you're using is an access token, not a bearer token. It can be used to access Google resources but cannot be used to authenticate with your Web API.
I wasn't able to find good documentation on this, but I can tell you it works here instead:
In your client app, you must obtain an id_token and an authorization code from Google. You normally get this when the user logs in using the Google OpenID Connect login. I assume you already know how to do this since you already know how to get the access token.
Send a POST request to https://{hostname}/.auth/login/google with a JSON payload that looks like {"authorization_code":"<code>", "id_token":"<id_token>"}.
A successful login response will contain a JSON payload that contains an authenticationToken field. Cache this token.
You can use the authentication token from #3 to make authenticated calls to your web API. Put it in the x-zumo-auth HTTP request header.
Turn on Authentication / Authorization from App Service Portal
Browse to the web app or API that requires authentication, you will be redirected to google login page, when you authenticate successfully, the response will contain:
"id_token": this token can be extracted from the response, or by accessing the Token Store /.auth/me
"redirect_uri" this token will be included in the response body, also you can just set it statically in the following step since this is the callback URL and it shouldn't change unless you change it from the google console
POST a request to https://{hostname}/.auth/login/google with the following JSON payload, {"redirect_uri":"", "id_token":""}. a successful response will contain "authenticationToken" store this token or cache it
Subsequent requests to the APIs that requires authentication should contain an HTTP request header:
"x-zumo-auth" with the value of "authenitcationToken"
Bonus:
In order to verify your token you can POST to https://{hostname}/.auth/login/google with the following JSON pay load {"id_token":""}, the response should specify if the token is valid or not