Get Authentication Credentials to Authorize With Adform APIs

Vaida
Vaida
  • Updated

All Adform API endpoints require authorization to ensure control of data access. To authorize with Adform APIs, you must have a valid user account.

Adform uses OAuth 2.0 as the authorization standard. The key points of OAuth 2.0 are:

  • User credentials aren't passed to the application.

  • User allows applications to access the limited scope of functionality.

  • APIs can identify their users.

With OAuth 2.0, in addition to a user account, you must register an OAuth client (application) to get an access token to use the API. Using an access token, Adform APIs can:

  • Authorize you as an end user and your OAuth client.

  • Receive and execute your request.

  • Return the requested resource.

OAuth Terminology

OAuth authorization protocol uses these terms:

Term

Description

OAuth client

An application (a web app, native desktop or mobile app, or similar) that a user uses to request access to the protected resources available through API. An OAuth client must be registered with an authorization server.

User

A person who uses a registered OAuth client to access API resources. A user can also be called a resource owner.

Access token

A string that contains information about the user and their permissions. An OAuth client uses an access token to send requests to the resource server.

Scope

An identifier for resources to which the OAuth client requires access. A user needs to send this identifier to an authorization server with a request for authentication or to get an access token.

Authorization server

An OAuth and OpenID Connect service that allows users to access APIs by authenticating a user, an OAuth client (application), and issuing tokens for that client. An authorization server can also be called an identity provider.

OAuth Overview

OAuth 2.0 in Adform provides several authorization methods that support different use cases and application types. In addition, Adform partially supports OpenID Connect (OIDC) protocol that adds to OAuth 2.0 and can be used for authentication and to obtain user's information. See OIDC protocol's discovery document for the list of supported authorization URIs, token, user information, and public-keys endpoints.

To simplify authorization with Adform APIs, you need to cache these authorization and token endpoints that are provided in the discovery document:

{
"authorization_endpoint": "https://id.adform.com/sts/connect/authorize",
"token_endpoint": "https://id.adform.com/sts/connect/token",
}

Get Authentication Credentials

To get authentication credentials and authorize with Adform APIs, you need to register an OAuth client. To register an OAuth client, contact Adform Support (technical@adform.com) and provide:

  • A short description of your application (your use cases for Adform API).

  • A list of all the needed scopes for the application.

  • The authorization method that you use.

Additionally, provide this information depending on the authorization method that you use:

  • If your application uses the client credentials authorization method, provide the username of the account on which the application works.

    Note

    To receive application credentials, the account must have a valid email address. We recommend having a separate user account for this workflow.

  • If your application uses the authorization code method, provide this information:

    • Return URLs of your application. (After successful authentication, Adform API redirects a user to one of the URLs.)

    • Name of your application as shown on the login page.

    • The URL for your application’s logo (50x50 pixels).

    • The URL for the page with information about your application, for example, an “About us” page.

After processing your request, Adform Support team will provide your API credentials via email. To check your credentials:

  1. Check your inbox for an email titled “OAuth client credentials for Adform API“. If you don’t see this email in your inbox, also check the Spam folder in case it's been filtered.

  2. Click the link within the email to receive your credentials. The message should look like this:

    OAuth_credentials_1.png

    Where:

    • Title is your OAuth client (application).

    • Username is your Client ID.

    • Password is your Client Secret.

    Important

    The provided link is active for seven days, but you can use it only twice. Make sure to save your credentials before closing the window or tab to ensure that you don’t lose this information.

    If you lose your credentials, you must request new credentials by repeating the OAuth client registration process.

Authorization Methods

To register an OAuth client, you must provide the authorization method that you use. The choice of authorization method depends on what type of integration you have.

Client Credentials Authorization Method

We recommend to use this method for service-to-service integrations that don’t involve end user authentication. In this method, the user is integrated with a client (application).

The most common use cases for this method are:

  • Automated reporting data retrieval

  • Automated campaign data management

  • Automated tracking URLs modifications

Client credentials method chart:

client-credentials-workflow-schema.png

You can obtain the access token with an HTTP POST request:

POST https://id.adform.com/sts/connect/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&
client_id=<CLIENT_ID>&
client_secret=<CLIENT_SECRET>&
scope=<SCOPES>

Request body parameters:

Name

Description

grant_type

Must be client_credentials.

client_id

The username you receive with your OAuth client credentials. Must be included either in POST request body, or Base64 encoded in a basic authorization header.

client_secret

The password you receive with your OAuth client credentials. Must be included either in POST request body, or Base64 encoded in a basic authorization header.

scope

One or more space-separated scopes that you need access to.

The response is a JSON-encoded object:

{
  "access_token": "<ACCESS_TOKEN>",
  "expires_in": <EXPIRATION_TIME>,
  "token_type": "Bearer"
}

Response body parameters:

Name

Description

access_token

The requested access token. You can use it to access a secured resource, such as a web API.

expires_in

The token's duration in seconds. Once the token expires, you'll need to request it again.

token_type

The token's type. In this case, a Bearer token.

Authorization Code Method

We recommend to use this method when an application has a back-end and, optionally, multiple users. Users give consent to an application to access a user's resources. Users can also give consent to access an application's resources offline.

Authorization code method chart:

authorization-code-flow-schema.png

To initiate an authorization request, redirect a user to the proper endpoint:

https://id.adform.com/sts/connect/authorize?scope=<SCOPES>&state=<STATE>&response_type=code&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>

Endpoint parameters:

Name

Description

scope

One or more space-separated scopes. Client must have access to these scopes.

state

A random client-generated string to verify that the returning user is the one who initiated the authorization. This string can be stored in a session storage before redirecting a user, and validated after the user returns.

client_id

A client (application) identifier.

redirect_uri

URI to which the user is redirected after authentication. URIs must be registered (assigned) for a client and use HTTPS.

A user will be asked to authenticate and authorize an application (to give consent).

After successful authentication, a user will be redirected to the URI provided in the redirect_uri parameter:

https://<REDIRECT_URI>?code=<AUTHORIZATION_CODE>&state=<STATE>

After a user is redirected, an application will:

  • Validate a state value

  • Exchange an authorization code for an access token. This will be done with a HTTP POST request in the back-end:

    POST https://id.adform.com/sts/connect/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    
    grant_type=authorization_code&
    code=<AUTHORIZATION_CODE>&
    client_id=<CLIENT_ID>&
    client_secret=<CLIENT_SECRET>&
    redirect_uri=<REDIRECT_URI>

    Request body parameters:

    Name

    Description

    grant_type

    Must be authorization_code.

    code

    Authorization code received from query parameters.

    client_id

    A client (application) identifier.

    client_secret

    A client secret (application password).

    redirect_uri

    URI to which the user is redirected to after authentication.

The response is a JSON-encoded object:

{
  "access_token": "<ACCESS_TOKEN>",
  "expires_in": <TOKEN EXPIRATION TIME IN SECONDS>,
  "token_type": "Bearer"
}

Response body parameters:

Name

Description

access_token

The requested access token. You can use it to access a secured resource, such as a web API.

expires_in

The token's duration in seconds. Once the token expires, you'll need to request it again.

token_type

The token's type. In this case, a Bearer token.

Each API request that follows must contain an access_token value in a header.

If an authorization request includes the offline_access scope, the response will include a refresh_token that you can convert to a new valid access_token.

Retrieve User Information

If your application has multiple users, you can retrieve user profile information of the authenticated user with Security & Authorization API.

OAuth Scopes

You can access most Adform APIs with the EAPI scope: https://api.adform.com/scope/eapi

To retrieve a refresh token using the authorization code method, use offline_access scope.

To get an id_token or access UserInfo and other endpoints for OpenID Connect, use standard OpenID Connect scopes: openidprofile.

You can find other necessary scopes in the Required Access section in the documentation of each API as well as next to the relevant endpoints.

API-scopes-example.png

Renew an Expired Token

Once you receive an access_token, you must include it in all future API requests by adding an HTTP header.

An access token is temporary and typically expires after one hour. If you use the token after its expiration, API services will respond with the 401 HTTP code. To get a new access token, follow the directions depending on your authorization method:

  • For client credentials authorization method: Obtain a new access_token.

  • For authorization code method:

    1. Perform authorization method by redirecting a user to an authorization server.

    2. Convert a refresh token to an access token.

You can convert an expired token to a new valid access token with an HTTP POST request:

POST /sts/connect/token HTTP/1.1
Host: id.adform.com
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&
refresh_token=<REFRESH_TOKEN>&
client_id=<CLIENT_ID>&
client_secret=<CLIENT_SECRET>

Was this article helpful?

/
How we can make it better?

Thank you for your feedback!