The SumoQuote API uses the OAuth 2.0 protocol for authentication and authorization.

Before your application can access the SumoQuote API, you'll need to contact [email protected] to request a client_id specific to your implementation.

The API team will require a redirect URI to fully configure your client. This is the URL that SumoQuote will redirect to after authentication has taken place.

Once your client is configured, your application will need to follow these authorization steps:

STEP 1: Get the authorization code for your client:

Audience is "https://api.sumoquote.com"

var redirect = `https://sumo-quote.auth0.com/authorize?client_id=${encodeURIComponent(CLIENT_ID)}&audience=${encodeURIComponent(AUDIENCE)}&redirect_uri=${encodeURIComponent(REDIRECT_URI)}&response_type=code&protocol=oauth2&scope=offline_access`;

This redirect will pop-up a screen that will ask the SumoQuote user to log-in using their SumoQuote username and password. Once the user has successfully authenticated, we will redirect back to your redirect URL with an authorization code in the URL.

Next, you'll need a bearer token token to use when calling the SumoQuote API

STEP 2: POST authorization code to get token from code:

var options = {
    method: 'POST',
    url: 'https://sumo-quote.auth0.com/oauth/token',
    headers: {'content-type': 'application/json'},
    data: {
      audience: "https://api.sumoquote.com",
      grant_type: 'authorization_code',
      client_id: 'CLIENT_ID',
      client_secret: 'CLIENT_SECRET',
      code: ‘AUTH_CODE',
      redirect_uri: 'CALLBACK_URL',
    }
  };

In response, SumoQuote will send back an Authorization payload that contains:

{
  "access_token":"eyJz93a...k4laUWw",
  "refresh_token":"GEbRxBN...edjnXbL",
  "id_token":"eyJ0XAi...4faeEoQ",
  "token_type":"Bearer",
  "expires_in":86400
}

The access token typically expires in 24 hours and the refresh token can be used to generate a new access token by posting again to the oauth/token enpoint using the refresh token as the 'code'

See THE BASICS section on how to configure your API requests with this Bearer token.

REFRESH TOKEN

When an access token expires, you can use the refresh_token to get a new access token.

{
  "grant_type": "refresh_token",
  "client_id": "CLIENT_ID",
  "client_secret": "CLIENT_SECRET",
  "refresh_token": "YOUR_REFRESH_TOKEN"
}