Can you authenticate the Twitter API within the URL? - api

Is it possible to authenticate the Twitter API through a URL in a web browser?
ex. https://api.twitter.com/1.1/search/tweets.json?q=%40twitterapi&secret_token=234234234234
I've been researching this for quite a while and haven't found a definite answer.
And if so, where in the docs would the names of the variables be that I need to authenticate via a URL?

No, that's not how the Twitter API works. You need to construct a valid OAuth authorization string and include it as the header in your request.
See Authorizing a Request in the Twitter REST API documentation.

Related

How can I create an access token to call the ebay analytics api?

I can't generate an access token because apparently the scopes I have provided aren't authorized.
I have created api credentials for the sandbox environment and have followed the steps in the documentation to encode them in the request for an access token (https://developer.ebay.com/api-docs/static/oauth-client-credentials-grant.html), and I have experimented with first providing all of my application's scopes in the request and then being more selective (https://developer.ebay.com/api-docs/static/oauth-scopes.html#specifying-scopes), but nothing seems to work.
I then found this post (https://forums.developer.ebay.com/questions/23495/application-token-exceeds-the-scope-granted-to-the.html) which suggested using the api explorer (https://developer.ebay.com/my/api_test_tool?index=0&env=sandbox&api=fulfillment&call=order-orderid__GET&variation=json) to generate an access token, but my request was denied with that token as well.
Does anyone know which scopes I have to provide in order to get this access token?
Scope depends on the APIs you want to use once you have the access_token.
I Usually list all scopes so to be able to use any APIs

how to publish my app using Foursquare Secret? Security is concerned

I made a site using Foursquare API, and want to publish it on my personal homepage, but I have the security concern with my Foursquare SECRET.
I used ajax request in a JS file using the following format of URL, and I'm afraid clients would be able to read my Foursquare ID and Secret:
https://api.foursquare.com/v2/venues/search?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&v=20180325&ll=lat,lng&query=cafe
I did search for a way to restrict accessible URL like Yelp does, but Foursquare doesn't seem to provide that method. What are the best way to secure my Foursquare Secret either/both on client-side or/and server-side? (I do not have much of a knowledge on back-end, but if a detailed information is provided, you'd be much appreciated, thank you all)
The easiest way would be to use the users token instead of your Client_ID / Client_Secret.
https://api.foursquare.com/v2/venues/search?oauth_token=someUsersToken&ll=lat,lng&query=cafe
Your app is linked to that token.
Another suggestion would be to use a server as a proxy. Send all request from your app to your server then have your server make the request to foursquare, injecting the client ID and secret, then send the foursquare response back to your app.
Problem I see with using the user token exposed is, they could potentially use that token to impersonate your app with requests to foursquare.
You can check here for more info on foursquare's authentication.
https://developer.foursquare.com/docs/api/configuration/authentication

Twitter Oauth authorization code

I am building a REST API.
For registering a user, he needs to authenticate on Twitter.
Normally, I would use an Authorization code provided by an OAuth2 server but it seems like Twitter does not implement this type of authorization.
I don't want my mobile app to send the Twitter token to the API to register the user. I see this as a security flaw.
I checked OAuth echo (https://dev.twitter.com/oauth/echo) which seems okay. The user passes the credentials to my API, and my API checks the user against the twitter API. Twitter then returns a user object. It does not return a access token though.
Is it the only way to do this?
Thanks for your help.
Yes you are correct. Using OAuth Echo will use you as the third party for that individual without exposing your Access token/key and Credentials.
Just be aware that you're under a different rate limit from Twitter's API when you're going through that route. In some cases it's an increase in limit while it's a decrease in other.

Twitter authentication URL

Which URL I should user for authentication user in the Twitter?
For example, in the Instagram token for user can be received when user click on the following link
https://api.instagram.com/oauth/authorize/?client_id=XXX&redirect_uri=XXX&response_type=XXX
After this its return token and I can work with user profile.
How to build such link for twitter?
Twitter API has several ways to authorize and it depends on what you want to do for determining which approach to take.
The OAuth2 approach that instagram takes is called application-only in Twitter API. The thing about application-only is that you can only use it on endpoints that aren't associated with a user. e.g. it's great for search, but doesn't work well for tweeting (which is something a user would do).
A couple other approaches are Single User Authorization, which is good if your app only needs one set of credentials. e.g. a server app. Another is Pin Authorization which is a work-around for devices that can't manage Web callbacks. These use OAuth 1.0A.
There are a few other OAuth options, but this was just to give you an idea about the available choices and the need to think about what you want to accomplish and match that with what the Twitter API offers. Here's the Twitter docs for more info:
Authentication and Authorization

Google Data API: OAuth authenticate URL instead of authorize URL?

I'm accessing the Google Contacts API using OAuth.
I see from the docs that I have an authorize URL (https://www.google.com/accounts/OAuthAuthorizeToken), used to get the access token, but not an authenticate URL, a thing other services implementing OAuth use to automatically redirect the user to my site when he has previously given me the permission to access his data.
Linkedin does it
https://www.linkedin.com/uas/oauth/authorize
https://www.linkedin.com/uas/oauth/authenticate
Twitter does it
https://twitter.com/oauth/authenticate
https://twitter.com/oauth/authorize
But I couldn't find a way to do this using the Google API.
Anyone knows if it's there?
Thanks
Google uses the same url for authentication and authorization, so just redirect your users to the authorize url with the appropriate parameters in the query string. Google then determines if the user needs to login, authorize your app, or both.
The flow would go something like this...
Get the request token
Redirect your users to the authorization link
https://www.google.com/accounts/OAuthAuthorizeToken?scope=http%3A%2F%2Fwww.google.com%2Fm8%2Ffeeds&oauth_token=REQUEST_TOKEN&oauth_callback=http%3A%2F%2Fwww.mysite.com%2Fcallback
User authorizes your app, then exchange the requst token for an access token.