{"id":1335,"date":"2018-05-31T23:52:21","date_gmt":"2018-06-01T06:52:21","guid":{"rendered":"https:\/\/officedevblogs.wpengine.com\/?p=1335"},"modified":"2018-05-31T23:52:21","modified_gmt":"2018-06-01T06:52:21","slug":"securing-api-requests-from-kaizala-action","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/securing-api-requests-from-kaizala-action\/","title":{"rendered":"Securing API requests from Kaizala action"},"content":{"rendered":"

There are scenarios where you may want to query your service from within the Kaizala card. While the APIs to be queried are public (without any authentication), you can query them directly. But, in case you want to secure your APIs to make sure the calls are made by the particular user from within the Kaizala card alone \u2013 you use the\u00a0Integration Service\u00a0<\/strong>token. This post explains how you generate this token and subsequently validate this on the service side.<\/p>\n

Generating the Integration Service token<\/h2>\n

To generate the Integration Services token from within the card, you will need to call the method\u00a0getIntegrationServiceToken<\/strong>\u00a0exposed in the SDK (KASClient.js). Below is the screenshot of the API and the result printed from the developer tools console.<\/p>\n

\"Screenshot<\/p>\n

You can now pass this in your call to the API (as a header \/ in the body).<\/p>\n

Validating the token<\/h2>\n

In order to identify if the API request is genuine, you will need to validate the token. This is done by calling into the\u00a0v1\/users\/me<\/strong>\u00a0endpoint with the token as the accessToken in the header. Integration Service token\u2019s validity is 30 mins.<\/p>\n

\"Logged<\/p>\n

This gives you the following details:<\/p>\n

    \n
  1. id<\/strong>\u00a0\u2013 Kaizala user id, a guid to identify the user<\/li>\n
  2. name<\/strong>\u00a0\u2013 name set by the user in the profile<\/li>\n
  3. phoneNumber<\/strong>\u00a0\u2013 phone number of the user<\/li>\n
  4. pictureUrl<\/strong>\u00a0\u2013 link to the profile picture<\/li>\n
  5. actionPackageId<\/strong>\u00a0\u2013 Id of the Kaizala card \/ action package from which the token was generated<\/li>\n<\/ol>\n

    You can then use this on the service side to validate if the token to authenticate and authorize the request.<\/p>\n

    Hope that was helpful. Let me know if you have any questions through the comments section or you can email kaizaladev@microsoft.com. Thank you for reading!<\/p>\n","protected":false},"excerpt":{"rendered":"

    There are scenarios where you may want to query your service from within the Kaizala card. While the APIs to be queried are public (without any authentication), you can query them directly. But, in case you want to secure your APIs to make sure the calls are made by the particular user from within the Kaizala card alone \u2013 you use the\u00a0Integration Service\u00a0token. This post explains how you generate this token and subsequently validate this on the service side.<\/p>\n","protected":false},"author":69216,"featured_media":1334,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[11],"tags":[87],"class_list":["post-1335","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-office-add-ins","tag-kaizala"],"acf":[],"blog_post_summary":"

    There are scenarios where you may want to query your service from within the Kaizala card. While the APIs to be queried are public (without any authentication), you can query them directly. But, in case you want to secure your APIs to make sure the calls are made by the particular user from within the Kaizala card alone \u2013 you use the\u00a0Integration Service\u00a0token. This post explains how you generate this token and subsequently validate this on the service side.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/1335","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/users\/69216"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/comments?post=1335"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/1335\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media\/1334"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media?parent=1335"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/categories?post=1335"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/tags?post=1335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}