Authentication

OAuth2 authentication

Section titled OAuth2 authentication

The Contentsquare APIs use the server-to-server OAuth 2.0 standard for authentication, also know as 2-legged OAuth or OAuth 2LO.

The flow basically consists in calling an authentication endpoint with a pair client_id / client_secret to retrieve an access token that remains valid for 1 hour. This JWT token should then be used as a Bearer token in the headers of your HTTPS requests (in the form Authorization: Bearer YOUR_ACCESS_TOKEN).

Note that the API call to the authentication endpoint will also dynamically return the right base URL that you must use. This base URL depends on which cloud the target project is installed on.

You can refer below to a detailed example of the overall flow to retrieve a token and a base URL, and use those to make query the Metrics API.

You can generate a pair client_id / client_secret from the Contentsquare console, as a Contentsquare administrator. You can find how to generate these credentials in our Help Center documentation.

You can create OAuth credentials either:

  • At the Project level, to request access resources from a specific project only
  • At the Account level: to request access for any project of the account

Refresh your access token

Section titled Refresh your access token

Once you get a JWT access token (see the authentication endpoint below), it’s valid for 1 hour. If you try to query the Contentsquare APIs with an access token that has expired, you will receive a 401 Unauthorized error with the error code JWT_EXPIRED, in the form:

{
  "success": false,
  "errorMessage": "Auth token is expired.",
  "errorCode": "JWT_EXPIRED"
}

In that case, you should first use your OAuth credentials (your pair client_id / client_secret) to query a new access token. The OAuth credentials don’t expire.

Authentication endpoint

Section titled Authentication endpoint

POST https://api.contentsquare.com/v1/oauth/token

Parameters

Section titled Parameters

These parameters have to be provided in the body of the request.

client_id

Required. The OAuth client_id generated from the Contentsquare console

client_secret

Required. The OAuth client_secret generated from the Contentsquare console

grant_type

Required. Always set it to "client_credentials", as required by the OAuth 2.0 standard

scope

Required. You should use "metrics".
If needed, you can specify a list of several scopes to get a token that can query several APIs (e.g. "data-export metrics" if you want your token to cover both the Data Export API and Metrics API scopes). The only scope that cannot be combined with other scopes is enrichment.

project_id

Optional. Only required if you use account-level OAuth credentials, to specify which project of the account you want to target

Request example

Section titled Request example
Terminal window
curl --location 'https://api.contentsquare.com/v1/oauth/token' \
--header 'Content-Type: application/json' \
--data '{
    "client_id": "c3133d76-a768-4f5a-XXX",
    "client_secret": "0ISL0DEC;UyYKB;riWRS0EXXX",
    "grant_type": "client_credentials",
    "scope": "metrics",
    "project_id": 42
}'

Response example

Section titled Response example
{
  "access_token": "eyJhbGciOiJSIsImtpY5MTXXX.CNTcKWAUb2mTp2cZyiDRYYOtGCKXXX", // to be used as bearer token to query the APIs
  "token_type": "bearer",
  "expires_in": 3600,
  "scope": "metrics",
  "project_id": 42,
  "endpoint": "https://api.eu-west-1.production.contentsquare.com" // this is the base URL you should use to query the Metrics API endpoints - the providded URL depends on the cloud the project is installed on
}

Example of authentication flow

Section titled Example of authentication flow

Below is a sample of Javascript code to show a complete API call flow that first retrieves an access token and then use it to retrieve the list of segments on a project:

const clientId = "<your_client_id>";
const clientSecret = "<your_client_secret>";
const authEndpoint = "https://api.contentsquare.com/v1/oauth/token";
const authRequestOptions = {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    client_id: clientId,
    client_secret: clientSecret,
    grant_type: "client_credentials",
    project_id: 42,
    scope: "metrics",
  }),
};
const authResponse = await fetch(authEndpoint, authRequestOptions);
const authJsonData = await authResponse.json();
// Below are the access token and base URL that must be used to query the Metrics API endpoints
const accessToken = authJsonData.access_token;
const baseURL = authJsonData.endpoint;
// Using the access token and base URL to query the Metrics API endpoints and get the segments in this example
const metricsApiEndpointResponse = await fetch(`${baseURL}/v1/segments`, {
  headers: { Authorization: `Bearer ${accessToken}` },
});
const metricsApiEndpointauthJsonData = await metricsApiEndpointResponse.json();
const segments = metricsApiEndpointauthJsonData.payload;

OAuth credentials information endpoint

Section titled OAuth credentials information endpoint

POST https://api.contentsquare.com/v1/oauth/me

Parameters

Section titled Parameters

None.

Request example

Section titled Request example
Terminal window
curl --location 'https://api.contentsquare.com/v1/oauth/me' \
--header 'Content-Type: application/json' \
--data '{
    "client_id": "c3133d76-a768-4f5a-XXX",
    "client_secret": "0ISL0DEC;UyYKB;riWRS0EXXX",
}'

Response example

Section titled Response example
{
  "scopes": "metrics data-export session-replay symbolicator",
  "permissions": {
    "projects": [
      {
        "id": 42,
        "name": "UX ANALYTICS"
      }
    ]
  }
}