Authentication

This page contains a overview of the authentication flow when using the Zenegy API.

Authentication

Zenegy uses OAuth 2.0 for user authorization and API authentication. Applications must be authorized and authenticated before they can fetch and post data from and to Zenegy or get access to data.

Zenegy provides two environments: production and test. Environments have separate data and authentication. Authentication server URLs are:

Configure Your Application

Before starting with the OAuth flow, register and create your app.
Please check the following link

Authorization Code Flow

If you need to gain a refresh token for long access to the company, Authorization code flow is recommended.

The authorization code flow returns short-lived access_token and refresh tokens, which can be used to acquire access_token for an unlimited period. This flow involves several steps.

Request an Authorization Code

The required parameters for this flow are:

ParameterDescriptionRequired
response_typeThe value of this field should always be codeYes
client_idUnique ID of the application, generated by ZenegyYes
redirect_uriThe URI your users are sent back to after authorization. This value must match one of the OAuth 2.0 Authorized Redirect URLs. The redirect URL has to be HTTPSYes
company_idGuid of the company for which access is required: if the user has access to the company, this company will be pre-selectedNo

Example:

https://auth.zenegy.com/auth/authorize?client_id={{client_id}}&redirect_uri={{redirect_uri}}&response_type=code

Once redirected, the user is presented with a Zenegy authentication screen.
On this screen, the application name, logo, access scopes and required roles are presented to the user. Users need to select a company for which access will be granted. Users can validate access(grant access) or Deny access.

Screenshot showing the authentication review page.

The screenshot shows the authentication review page.

Your Application is Approved

By providing valid Zenegy credentials and clicking Validate Access, the user approves your application's request to interact with Zenegy on their behalf. This approval instructs Zenegy to redirect the member to the callback URL you defined in your redirect_uri parameter.

Attached to the redirect_uri is the OAuth 2.0 authorization code. The parameter "code" is returned as a query parameter.

Example:

    {{redirect_uri}}?code=308a4647ab394ea0a4e19c6956f8f067ca8ddded94b04ad3b8a513673d17475c

The code is a value that you exchange with Zenegy for an OAuth 2.0 access token in the next step of the authentication process.
For security reasons, the authorization code has a 5 -5-minute lifespan and must be used immediately. If it expires, you must repeat the previous steps to request another authorization code.

Exchange Authorization Code for an Access Token

The next step is to get an access token for your application using the authorization code from the previous step. To do this, make the following HTTP POST request with a Content-Type header of x-www-form-urlencoded:

🚧

Request path.

Important:
The path of the request to exchange the code, should be adjusted to use "/auth/token" before submitting the request.
Authentication will fail if request is submitted using "/auth/authentication/".

Example:

    POST /auth/token HTTP/1.1
    Host: auth.zenegy.com
    Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&code={authorization_code_from_step2_respon
    se}&redirect_uri={{redirect_uri}}&client_id={your_client_id}&client_secr
    et={your_client_secret}
ParameterDescription
access_tokenThe access token for the application. Token life is 1 hour.
expires_inThe number of seconds remaining until the token expires. Currently, all access tokens are issued with 30 minutes lifespan.
token_typeAlways Bearer
refresh_tokenRefresh token that is used in the refresh token flow for getting new access tokens
company_idGuid of the company for which access is granted

Example:

    {
    "access_token":
    "eyJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNobWFjLXNoYTI1NiIsIn
    R5cCI6IkpXVCJ9.eyJpZCI6IjEiLCJ1aWQiOiJhNjM4ZDBhOS02NDhkLTQwYmUtYmMwMi1mYmY5MTQ2OWQ2
    GjZiTCJuYW1lIjoiU3VwcG9ydCBAIFplbmVneSIsIm1vYmlsZV9waG9uZV92ZXJpZmllZCI6IlRydWUiLCJ
    tb2JpbGVfcGhvbmUiOiIrMzg5NzU0NTc0MDUiLCJlbWFpbEFkZHJlc3MiOiJzdXBwb3J0X3RlYW1AemVuZW
    d5LmNvbSIsImxhbmd1YWdlIjoiZW4iLCJhdXRoX3Byb3ZpZGVyIjoie1wiVHlwZVwiOjEsXCJJZGVudGlma
    WNhdGlvblwiOm51bGx9IiwidXNlcl9hcHBfZ3JhbnRfaWQiOiI0MjgyNyIsImFwcGxpY2F0aW9uX25hbWUi
    OiJaZW5lZ3kgQWNjb3VudGluZyIsInRva2VuX2lkIjoiMko1YXVGWDlPOXAwWjJOOVFBZXJXTlFMTFVuU25
    YamciLCJuYmYiOjE1Nzg1Nzk4MzksImV4cCI6MTU3ODU4MzQzOSwiaXNzIjoiaHR0cHM6Ly9hdXRoLnphbG
    FyeS5jb20vIiwiYXVkIjoiY2Q3MWQ1Y2EzNzRjNDliZGFjMTExNTBjZGRjY2VjMTcifQ.rnYvYVwLCyUn7E
    twQgF1KLNfdkUxxcMGx0KECFq7DpQ",
    "token_type": "bearer",
    "expires_in": 1799,
    "refresh_token": "OWViZWNhYWE4NDkzNDNkZDhjYjQ3M2Q1NzI0MmM5OTM=",
    "company_id": "ba8d4080-5828-42d1-a702-96615b527c67"
    }

Make Authenticated Requests

Once you've obtained an access token, you can start making authenticated API requests on behalf of the user by including an Authorization header in the HTTP call to Zenegy API.

    GET /api/companies/{company_id} HTTP/1.1
    Host: api.zenegy.com
    Authorization: Bearer {access_token}

Handling Invalid Tokens

If you make an API call using an invalid token, you'll receive a 401 Unauthorized response from the server and have to regenerate the token. A token could be invalid due to the following reasons:

  • It has expired.

  • The member revoked the permission they initially granted to your application.

A predictable expiry time is not the only contributing factor to an invalid token, so you must code your applications to handle a 401 Unauthorized error by properly redirecting the member back to the start of the authorization workflow.

Your Application is Rejected

If the member chooses to cancel or the request fails for any reason, the client has been redirected to your redirect_uri callback URL with no code attached.

Refresh Tokens

ParameterDescription
grant_typeThe value of this field should always be refresh_token.
refresh_tokenThe number of seconds remaining until the token expires. Currently, all access tokens are issued with 30 minutes lifespan.
client_idThe unique ID of the application was generated by Zenegy when you registered your application.
client_secretThe Client Secret value was generated by Zenegy when you registered your application.

Example:

    POST /auth/token HTTP/1.1
    Host: auth.zenegy.com
    Content-Type: application/x-www-form-urlencoded

    grant_type=refresh_token&refresh_token=onN6Fvu9JM9HfOYWY15MSDo2PRqlbx1xS
    V9d+nO613g=&client_id={{client_id}}&client_secret={{secret}}

Result:

    {
        "access_token":
        "eyJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNobWFjLXNoYTI1NiIsInR5cCI6Ik
        pXVCJ9.eyZpZCI6IjEiLCJ1aWQiOiJhNjM4ZDBhOS02NDhkLTQwYmUtYmMwMi1mYmY5MTQ2OWQ2MjMiLCJuYW1lIjoi
        U3VwcG9ydCBAIFplbmVneSIsIm1vYmlsZV9waG9uZV92ZXJpZmllZCI6IlRydWUiLCJtb2JpbGVfcGhvbmUiOiIrMzg
        5NzU0NTc0MDUiLCJlbWFpbEFkZHJlc3MiOiJzdXBwb3J0X3RlYW1AemVuZWd5LmNvbSIsImxhbmd1YWdlIjoiZW4iLC
        JhdXRoX3Gyb3ZpZGVyIjoie1wiVHlwZVwiOjEsXCJJZGVudGlmaWNhdGlvblwiOm51bGx9IiwidXNlcl9hcHBfZ3Jhb
        nRfaWQiOiI0MjgyNyIsImFwcGxpY2F0aW9uX25hbWUiOiJaZW5lZ3kgQWNjb3VudGluZyIsInRva2VuX2lkIjoiU2tD
        ZjhWdXlPYzAxZEVGNTE3VmJkdUZWM1lhVlV2VUQiLCJuYmYiOjE1Nzg1ODM0NDUsImV4cCI6MTU3ODU4NzA0NSwiaXN
        zIjoiaHR0cHM6Ly9hdXRoLnphbGFyeS5jb20vIiwiYXVkIjoiY2Q3MWQ1Y2EzNzRjNDliZGFjMTExNTBjZGRjY2VjMT
        cifQ.2oemzm1RdhdUQvGIpryQxLsVmlvfTIOAUiY63JAvQsI",
        "token_type": "bearer",
        "expires_in": 1799,
        "refresh_token": "OWViZWNhYWE4NDkzNDNkZDhjYjQ3M2Q1NzI0MmM5OTM=",
        "company_id": "ba8d4080-5828-42d1-a702-96615b527c67"
    }

What’s Next