Authentication
Krebit uses OAuth 2.0 to authenticate with the API. Follow this guide to set up your connection.
Creating Your App
To start, create your app within the Krebit platform. Upon successful creation, you will receive a client_id and a client_secret. These credentials are essential for generating an access token, which is required for interacting with the API.
You create your app by going to https://{organization}.krebit.se/developer/my-apps and follow the steps there.
Important note! You will receive your secret in the setup process, the secrets are only shown once so save them in a secure location.
Generating an Access Token
To generate an access token, direct the user to an authorization URL structured as follows:
https://{organization}.krebit.se/oauth/authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type=code&state={state}
Explanation of Parameters
{organization}: The subdomain associated with your organization on Krebit (e.g.,yourcompany.krebit.se).{client_id}: The client ID provided when you created your app.{redirect_uri}: The URL defined during app creation where the user will be redirected after authorization.{state}: A unique, randomly generated string used to prevent Cross-Site Request Forgery (CSRF) attacks.
Example Authorization URL
https://myorganization.krebit.se/oauth/authorize?client_id=abc123&redirect_uri=https://myapp.example.com/callback&response_type=code&state=xyz789
Exchanging the Authorization Code for an Access Token
After the user authorizes, they will be redirected to your redirect_uri with a code parameter. Use this code to request an access token from the token endpoint:
Token Endpoint
POST https://{organization}.krebit.se/api/oauth/token
Request Parameters
Include the following parameters in the body of your POST request:
grant_type: Must beauthorization_codeclient_id: Your client IDclient_secret: Your client secretredirect_uri: The redirect URI registered for your appcode: The authorization code received from the initial request
Sample Token Request
POST /api/oauth/token HTTP/1.1
Host: myorganization.krebit.se
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
client_id=abc123&
client_secret=supersecret&
redirect_uri=https://myapp.example.com/callback&
code=authcode456
Sample Response
{
"access_token": "abcdef1234567890",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "refresh1234567890"
}
Using the Access Token
Include the access_token in the Authorization header of your HTTP requests to the API:
GET /api/resource HTTP/1.1
Host: myorganization.krebit.se
Authorization: Bearer abcdef1234567890
Refreshing an Access Token
When the access_token expires, you can use the refresh_token to obtain a new one without requiring the user to reauthorize.
Refresh Token Endpoint
POST https://{organization}.krebit.se/api/oauth/token
Request Parameters
Include the following parameters in the body of your POST request:
grant_type: Must berefresh_tokenclient_id: Your client IDclient_secret: Your client secretrefresh_token: The refresh token obtained during the initial token request
Sample Refresh Request
POST /api/oauth/token HTTP/1.1
Host: myorganization.krebit.se
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&
client_id=abc123&
client_secret=supersecret&
refresh_token=refresh1234567890
Sample Response
{
"access_token": "newaccess1234567890",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "newrefresh1234567890"
}
Notes
- The new response will include a new
access_tokenand possibly a newrefresh_tokenif one is issued. Always store the latestrefresh_tokensecurely.