Anchor API Documentation

OAuth2 API Reference

The Anchor API (v2+) requires authentication via OAuth2. It supports authorization code, refresh token, and password grants.

This document will not go into the details of the OAuth2 specification, but instead will focus on simple steps for using it with Anchor. Anchor's implementation of OAuth2 is based on RFC 6749.

Endpoint

https://<hostname:port>/oauth

All requests to the OAuth2 API must be performed over HTTPS. Non-HTTPS requests will be rejected.

Register an application

Started by registering a new application for your organization, or by asking your organization administrator to complete the registration. Visit the "API" page in organization settings and click "Register OAuth2 Client".

Provide the following details for your application:

Name: the application name
Description: an optional description of the application, what it is used for, etc.
Allowed grant types: the grant types the application is allowed to use. For example, "Authorization code" and "Refresh token" are typical for a standard interactive authorization flow. See the OAuth2 specification for details about the various grant types.
Redirect URIs: one or more redirect URI allowed as the destination after access is granted for authorization code flows.

Upon completion a unique, random client ID and client secret will be generated. These typically need to be configured within the registered application before it can authenticate.

Obtain OAuth2 access tokens

The following steps outline how your application interacts with the server to obtain a user's consent and get access tokens.

Step 1: Direct the user to the authorization page with authorization parameter's for your application

https://<hostname:port>/oauth/authorize?
    response_type=code&
    client_id=your_client_id&
    redirect_uri=https%3A%2F%2Fyour-application.com/oauth2/callback&
    state=state_value

Query Parameters

client_id: the client ID for your application. Obtained after registering your application on the API page in organization settings. Required.
redirect_uri: the URI where the server redirects the user after the user completes the authorization flow. The value must exactly match one of the authorized redirect URIs registered for your application on the API page in organization settings. If this value does not match an authorized redirect URI for the provided client_id you will get a redirect_uri_mismatch error.
state: any value that your application uses to maintain state between the authorization request and server's response. This will be included exactly as provided as a query parameter appended to redirect_uri.

Step 2: The server prompts the user for consent

The user will be presented with an authorization page requesting them to allow your application to access their account. Your application does not do anything but wait for the server to redirect back after the user approves or denies the request.

Step 3: Handle the server's response to your redirect_uri

After the user completes the consent step, the server redirects to the provided redirect_uri with a code or error query parameter, as well as state if provided.

Example authorization code response:

https://your-application.com/oauth2/callback?code=XXXXXXXXXXXXXXXX

Example error response:

https://your-application.com/oauth2/callback?error=access_denied

Step 4: Exchange the authorization code for access tokens

Your application can then exchange the authorization code for access tokens using the token endpoint below.

Request an access token

To request an access token, call the token method, passing an authorization code or account credentials to authenticate.

POST /oauth/token

POST Fields

grant_type: the requested grant type, such as "authorization_code" or "password". Required.
client_id: the OAuth2 client ID. "anchor" may be used for password-only applications. Required.
client_secret: the OAuth2 client secret. Required, unless using the built-in password-only "anchor" client.
code: (for "authorization_code" grants) the authorization code.
username: (for "password" grants) the username for the account being authenticated.
password: (for "password" grants) the password for the account being authenticated.
auth_code: (for "password" grants) the two-step verification code for the account being authenticated. Required if the account has two-step verification enabled.
guid: the GUID assigned to the client or empty if one has not yet been assigned.
dns_name: a descriptive name for the client, such as the host name or device manufacturer and model.
os_type: the client system type, such as "win", "osx", "android", "ios", or "winphone".
os_version: the client system version, such as "4.2.2".

Example

Request

POST /oauth/token
grant_type=password&client_id=anchor&username=user@example.com&password=example

Response

HTTP status code: 200
Response body:
{
    "access_token": "<access_token>",
    "expires_in": 3600,
    "guid": "<guid>",
    "token_type": "Bearer",
    "refresh_token": "<refresh_token>",
    "scope": "full"
}

The response should be saved. The access token will be passed to API methods requiring authentication. Access tokens are valid for a short period of time, usually 1 hour, and the refresh token will be used to get a new access token when it expires. The expires_in value is in seconds. token_type and scope will always be "Bearer" and "full," respectively.

The guid returned in the response is either the GUID passed in the original request, if it is found on the server, or a new GUID assigned to the client. It should be saved for future use when refreshing tokens.

Two-step verification

When an account has two-step verification enabled, the initial call will return the following:

HTTP status code: 401
Response body:
{
    "error": "missing_totp",
    "two_step_mode": "(email|sms|authenticator)"
}

In this case, the user should be prompted for a two-step verification code and the request should be repeated with the code appended. The Anchor server will have already triggered the notification process in the case of email or SMS delivery.

POST /oauth/token
grant_type=password&client_id=anchor&username=user@example.com&password=example&auth_code=<auth_code>

If the code is valid, an access token will be returned. Otherwise, the following:

HTTP status code: 401
Response body:
{
    "error": "invalid_totp",
    "two_step_mode": "(email|sms|authenticator)"
}

If repeated failed authentication attempts occur, the account will be blocked from making more authentication attempts for a short period:

HTTP status code: 403
Response body:
{
    "error": "account_locked"
}

Refresh an access token

Refreshing an access token also uses the same token method as the initial authentication request. In this case, the refresh_token from a previous access token request is passed instead of account credentials.

POST /oauth/token

POST Fields

grant_type: the requested grant type, "refresh_token" in this case. Required.
client_id: the OAuth2 client ID, "anchor" only at this time. Required.
refresh_token: a refresh token from the previous access token request. Required.
guid: the GUID assigned to the client or empty if one has not yet been assigned. Typically this should be the GUID assigned by the server during the initial access token request.
dns_name: a descriptive name for the client, such as the host name or device manufacturer and model.
os_type: the client system type, such as "win", "osx", "android", "ios", or "winphone".
os_version: the client system version, such as "5.1.0".

Example

Request

POST /oauth/token
grant_type=refresh_token&client_id=anchor&refresh_token=<refresh_token>

Response

HTTP status code: 200
Response body:
{
    "access_token": "<access_token>",
    "expires_in": 3600,
    "guid": "<guid>",
    "token_type": "Bearer",
    "refresh_token": "<refresh_token>",
    "scope": "full"
}

Revoke access

To invalidate an access token, call the revoke method.

POST /oauth/revoke

POST Fields

client_id: the OAuth2 client ID associated with the token, "anchor" only at this time. Required.
token: the token to revoke. Required.
token_type_hint: the type of token being submitted, "access_token" or "refresh_token".

Example

Request

POST /oauth/revoke
client_id=anchor&token=<token>&token_type_hint=access_token

Response

HTTP status code: 200

For valid requests the response is always HTTP 200. The response body is ignored.

Authenticating requests

Once an access token is obtained, it may be used to authenticate requests by passing it in the Authorization header.

Example request

GET /api/2/files/1
Authorization: Bearer <access_token>
...