API Authentication

Overview

img-auth

Protecting your data is our highest priority. The Domo API features OAuth 2.0 authentication and authorization; only authorized users may generate Access Tokens and communicate with the Domo API. The following sections illustrate how to access the API using OAuth 2.0 security.

To interact with Domo’s APIs through OAuth security, you will need to obtain authorization and authentication. In order to access Domo APIs, a user must first be authenticated (prove that they are whom they say they are) through a client ID and client secret.

Once a user has been authenticated, they can then create an access token to authorize what the scope of functionality will be available for each API for that specific access token.

Important terms

OAuth 2.0:

OAuth 2.0 is an authentication framework as defined by the RFC-6749 standard.  OAuth 2.0 focuses on client developer simplicity while providing specific authentication flows for web and desktop applications. Generally speaking, OAuth provides clients with secure delegated access to server resources on behalf of a resource owner. It allows resource owners to authenticate and authorize third-party access to their server resources without the need to share personal credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth uses short-lived access tokens, issued to a client by an authentication server, with the approval of the resource owner. The client then uses the access token to access the protected resources hosted by the resource server.

Client ID

An ID used to uniquely identify a third-party client.

Client Secret

A secret code that proves to the authentication server that the client program is authorized to make a request on behalf of the user. Client Secrets are required for OAuth 2.0.

A program requesting an access token has to know the client secret in order to gain the token. This prevents malicious apps that have not been authorized from ever obtaining a valid access token. A Client Secret doesn’t state anything about authenticating a user; it’s simply authorizing an app to request access tokens.

A client secret must be protected at all costs; if the secret is compromised, a new one must be generated and all authorized programs must be updated with the new client secret.

 

Creating a client

Within the developer portal you will need login with the name of your Domo instance.  Once you have logged in, you will then need to navigate to your user avatar and select “Create New Client” in the dropdown list.

You can create clients as needed; for example, you may want to create one application just to manage your data. You may want another to manage your users. Before your application can generate access tokens and access the API, you need to generate a client id and secret.

When creating your Client ID and Client Secret, you’ll be asked to specify the “scope” of the program. The scope is a security measure that allows you to limit the functionality an application has access to.  Selecting only the “data” scope, for example, limits calls to data-related APIs, while a client generated with “data” and “user” scopes would have access to both data and user-related APIs.

You can also view, delete or otherwise manage existing clients as well.

Obtaining an access token

To request an access token, make the following request with your generated client ID and secret.

$ curl -v -u {CLIENT_ID}:{CLIENT_SECRET} "https://api.domo.com/oauth/token?grant_type=client_credentials&scope={SCOPE}"

Please note that in the above example, when using the -u command line option, cURL correctly formats the client id and secret to a basic authorization header. If you are programmatically requesting access tokens, make sure that you are correctly including the basic authorization header with your Base64 encoded credentials. See the OAuth client credential grant type access token request specification and the HTTP Basic Authentication Scheme specification for more information.

An example with your scope,client_ID, and client_secret would look similar to below:

$ curl -v -u 441e307a-b2a1-4a99-8561-174e5b153fsa:f103fc453d08bdh049edc9a1913e3f5266447a06d1d2751258c89771fbcc8087 "https://api.domo.com/oauth/token?grant_type=client_credentials&scope=data%20user"

Once you request a token with the curl command, you should receive the following response with an associated access token:

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Cache-Control: no-store
Connection: keep-alive
Content-Type: application/json;charset=UTF-8
Date: Thu, 03 Aug 2017 17:05:58 GMT
Expires: 0
Pragma: no-cache
Pragma: no-cache
Server: nginx
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

{
    "access_token": "eyJhbGciOiJSUzI1NiJ9.eyJyb2xlIjoiQWRtaW4iLCJzY29wZSI6WyJkYXRhIiwidXNlciJdLCJleHAiOjE1MDE3ODM1MTksImVudiI6InByb2QxIiwidXNlcklkIjo5NjQzODI1OTAsImp0aSI6IjgxZGVjZTRjLWRmNzMtNDU2OS04NTNjLTJkMWEzMjg4OTdmZCIsImNsaWVudF9pZCI6IjQ0MWUzMDdhLWIyYTEtNGE5OS04NTYxLTE3NGU1YjE5M2VlYSIsImN1c3RvbWVyIjoidHJhaW5pbmcifQ.O0H29RFMjruZjA7cXvIctNf8IyuKSyoLggRB5ps7r8LwJL7FM-BWu8oyEPnCopvED-2Sy6emg__8PKQ6r4FPRnsyp4A1uwLwyii8fUmp8NQX3QlprL72_Xc-5ghDtWILPX_Pg77giFLbH-nAys5nsI9S2MDL-xwIFnS3p0iAqSmio5yk6F61Gi_fXVPbDARQ6c2Ci2q2wxFG-xk1lqdlKoPnQwmcQcIJhfgvQ6-15SxNuwZhoQZCZt01wTJ65phFsqoYFHPgznlMxISxDJz2moCjKIY8O9qobj9kIbegpusKUzLeBO9SVc7V3KNZal9f_m-8eGJ3j2bbMFEnaHz8jMJQ",
    "customer": "acmecompany",
    "expires_in": 3599,
    "jti": "81dece4c-df73-4569-853c-2d1a328897fd",
    "role": "Admin",
    "scope": "data user",
    "token_type": "bearer",
    "userId": 964382593
}

The JSON response body might include more fields than those listed in the example response, but the important fields to be aware of are: access_token, and expires_in.

Every subsequent request must have an access token added as a header. Access tokens expire in approximately an hour; after that you'll need to get a new access token.

Call target API example

After you’ve obtained an access token, you’ll need to send it with every request to the Domo API in an HTTP authorization header.
Let’s say you wanted to call Domo’s API to get a list of your DataSets within Domo. You would make the following GET request (replacing "{access-token}" with the access token obtained in the previous step):

$ curl -v -H Authorization:'bearer {access-token}' "https://api.domo.com/v1/datasets"

OAuth 2.0 handshake summary

authimage

Need additional help?

No problem, we'd love to help. Explore our documentation, answers to frequently asked questions, or join other developers in Domo's Developer Forum.  For further help, feel free to email us or contact our sales team.