We prefer an explicit grant flow. This only works if your application is executing live on a server. If you require a different flow please contact our team for assistance.
In an explicit workflow the app retrieves an authorization code and that is exchanged for an access token. This is considered the most secure because the token is passed directly to the applications server and not exposed to the enduser’s browser.
This article details the workflow for this implementation of the LeoAdventures Partner API.
Get Your Client ID and Secret
The first step is to apply for a client ID and client secret using this form. Every application is reviewed by a member of our team to verify the details of the applicant. Because of this, it will take up to two business days to get the credentials back to you.
Once you have your credentials then you are ready to implement the API in your application!
Step 1: Request an Authorization Code
This GET request will go to the /oauth/authorize endpoint.
GET
https://leoadventures.com/oauth/authorize/Request Parameters
- client_id (required)– The client ID making the request
- redirect_uri (required) – The URL to redirect back to. This is established when you apply for credentials. Please contact our team to change.
- response_type (required) – Must be set to “code”
- scope (optional) – Currently not necessary, as we don’t use different scopes
- state (optional) – Client generated CSRF token. This value will be passed back to the client. Here is more information
Below is an example of a simple form to retrieve an authorization code. This form is by no means mandatory, but is one way to get up and running quickly. Notice most of the fields are hidden and the form only includes a visible button.
<form id="leoadventures-auth-form" method="GET" action="https://leoadventures.com/oauth/authorize/">
<input type="hidden" name="state" value="randomString123" />
<input type="hidden" name="response_type" value="code" />
<input type="hidden" name="client_id" value="abcdefghijklmnopqrstuvwxyz1234567890ABCD" />
<input type="hidden" name="redirect_uri" value="https://your-redirect.com/your-subpage/" />
<div style="display: inline-block;" >
<a type="submit" id="leo-login-submit-button">
<img id="leoadventures_verification_button" width="350" height="72" alt="LeoAdventures verification button" srcset="https://leoadventures.com/wp-content/uploads/2021/03/Leo-White-350.png 1x, https://leoadventures.com/wp-content/uploads/2021/03/Leo-White-700.png 2x" src="https://leoadventures.com/wp-content/uploads/2021/03/Leo-White-350.png"/>
</a>
<small><a style="text-align: right; display: block;" href="https://leoadventures.com/what-is-leoadventures">What is LeoAdventures?</a></small>
</div>
</form>A shorter alternative to this form would be an anchor tag with an href that includes all of the necessary variables in the url encoded search parameters. For example
<div style="display: inline-block;" >
<a style="display: block;" href="https://leoadventures.com/oauth/authorize/?state=randomString123&response_type=code&client_id=abcdefghijklmnopqrstuvwxyz1234567890ABCD&redirect_uri=https%3A%2F%2Fyour-redirect.com%2Fyour-subpage%2F">
<img id="leoadventures_verification_button" width="350" height="72" alt="LeoAdventures verification button" srcset="https://leoadventures.com/wp-content/uploads/2021/03/Leo-White-350.png 1x, https://leoadventures.com/wp-content/uploads/2021/03/Leo-White-700.png 2x" src="https://leoadventures.com/wp-content/uploads/2021/03/Leo-White-350.png"/>
</a>
<small><a style="text-align: right; display: block;" href="https://leoadventures.com/what-is-leoadventures">What is LeoAdventures?</a></small>
</div>When integrating the API, the use of the LeoAdventures button is required. Please be sure to use an unaltered version of this button. If this will not work for your website, please contact our team.
Response
The response is
- code (string) – The authorization code.
- state (mixed) – If a state parameter were supplied in the request, it would be returned.
Once the form above is submitted, the enduser will be redirected away from your app to the login page of LeoAdventures. After the enduser submits their credentials they will again be redirected back to your app. They will be redirected to the redirect uri you provided. The authorization code will be url encoded in the redirect uri. For example:
https://your-redirect.com/your-subpage/?code=77it37yquizgzn4furak2trrrs1e4q3odqjegk8h&state=randomString123Step 2: Request a Token
The one time authorization code will be used to get an access token. The authorization code is only valid for approximately 30 seconds. In an explicit workflow the access token would not be revealed client side. Instead only the authorization code in the previous step would be revealed. For this reason, explicit workflows are more desirable.
When your application receives a request for the redirect uri with a url query string of code, your application will use the authorization code to request an access token.
Your application should send a POST request to:
https://leoadventures.com/oauth/token/Post Request Data
- grant_type (required) – is ‘authorization_code’
- code (required) – the authorization code
- redirect_uri (required)
- client_id (required)
- client_secret (required) – This should only be sent from your application server to the LeoAdventures server, and this should never be sent to the enduser. Shhh, it’s a secret
Note: The user agent header must be a recognizable string to our server. i.e. custom user agent strings that don’t represent known devices will be rejected.
Example request
curl -X POST https://leoadventures.com/oauth/token/ \
-d '{
"grant_type": "authorization_code",
"code": "77it37yquizgzn4furak2trrrs1e4q3odqjegk8h",
"redirect_uri": "https://your-redirect.com/your-subpage/",
"client_id": "abcdefghijklmnopqrstuvwxyz1234567890ABCD",
"client_secret": "DCBA0987654321zyxwvutsrqponmlkjihgfedcba"
}' \
-H 'Content-Type: application/json' \
-H 'cache-control: no-cache' \
-H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0'Response
The response will be in a JSON object
- access_token (string) – The access token
- expires_in (number) – Time the access token expires in seconds from current time
- token_type (string) – Type of token. “Bearer” is only supported
- scope (string) – The scopes authorized for this access token
- refresh_token (string) – The refresh token
An example of a successful response:
{
"access_token": "aph6jiiwsvgyt9j4fohayegypbo65f8fpjodpdckuiqho0p4wf",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "basic",
"refresh_token": "g1b4cph2kjnwojzofajvqsfzb2oltjthtermizvlnzsaqjl2o9"
}An example of a failed response:
{
"error": "invalid_grant",
"error_description": "Authorization code doesn't exist or is invalid for the client"
}Step 3: Request the User Information
If step 2 is successful then your application should immediately request the users information. This is done with a GET request to the https://leoadventures.com/oauth/me/ endpoint. The bearer token sent in this request is the access token assigned in the previous step. In an explicit workflow this token should be used exclusively on your application server. It should never be sent to the enduser, only the API endpoint. Below is an example.
Example request
curl -X GET https://leoadventures.com/oauth/me/ \
-H 'Authorization: Bearer aph6jiiwsvgyt9j4fohayegypbo65f8fpjodpdckuiqho0p4wf' \
-H 'cache-control: no-cache'
-H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0'Response
The response will be in a JSON object
- user_id (number) – The ID of the user,
- member (boolean) – True/False if they are a LeoAdventures member
- membership_level (string) – One of three levels will return
Leo Hero,Leo Lifer, orLeo MVP. It will returnnullif they are not a member
An example of a successful response:
{
"member": 1,
"membership_level": "Leo Lifer",
"user_id": 333333
}Or the enduser successfully logged into LeoAdventures but they are not a member:
{
"member": 0,
"membership_level": null,
"user_id": 333333
}An example of a failed response:
{
"error": "invalid_request",
"error_description": "Invalid token",
"error_uri": "https://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-7.2"
}Step 4: Apply the Appropriate Discount
Once the user has been confirmed as a member (“Leo Lifer”, “Leo MVP”, “Leo Hero”) it is up to you to apply the appropriate discount to their cart or store items. For testing your API integration please see Testing the Verification API.