API user authentication clarification
micheal.wu says:
I read the bit about user authentication but I'm still a bit puzzled about how login works.
For example on a desktop app
-You get the frob through the API.
-You form a signature from the api key (api_key), frob value (frob), and permission (perms), and use all those to make an authentication URL.
-EG: http://www.rememberthemilk.com/services/auth/?api_key=abc123&perms=delete&frob=123456&api_sig=zxy987
-The user goes to that URL, logs in (if necessary) and allows API to access their stuff.
-the app then gets a token through the API
Then after this every function has to be called with the token and the api key?
Is it correct to say:
The token uniquely identifies a user?
The token allows access to that users tasks without login again?
The token can be invalidated through the RtM services?
Sorry if they seem like simple questions, just trying to wrap my head around it.
EG
for rtm.tasks.getList
the request would be:
http://api.rememberthemilk.com/services/rest/?method=rtm.tasks.getList&api_key=123456789&auth_token=somevalue
For example on a desktop app
-You get the frob through the API.
-You form a signature from the api key (api_key), frob value (frob), and permission (perms), and use all those to make an authentication URL.
-EG: http://www.rememberthemilk.com/services/auth/?api_key=abc123&perms=delete&frob=123456&api_sig=zxy987
-The user goes to that URL, logs in (if necessary) and allows API to access their stuff.
-the app then gets a token through the API
Then after this every function has to be called with the token and the api key?
Is it correct to say:
The token uniquely identifies a user?
The token allows access to that users tasks without login again?
The token can be invalidated through the RtM services?
Sorry if they seem like simple questions, just trying to wrap my head around it.
EG
for rtm.tasks.getList
the request would be:
http://api.rememberthemilk.com/services/rest/?method=rtm.tasks.getList&api_key=123456789&auth_token=somevalue
emily (Remember The Milk) says:
To answer your questions: yes, yes, and yes :)
For that example request, you'd also need an api_sig.
If you have any further questions about the API, I'd recommend asking on the API developers group.
Hope this helps!
For that example request, you'd also need an api_sig.
If you have any further questions about the API, I'd recommend asking on the API developers group.
Hope this helps!