I’ve tried to search the forum but didn’t see anything on this.
I setup up my collection, edited it and added oAuth2, got a new key. I also added my api-key under API Key.
But when I try and run anything I still have to add the api-key to my header manually. Can I not have both in my collection and inherit them both?
Thanks in advance for any help.
Ray
Hi Ray,
The OAuth 2.0 protocol does not mention the need for an API key. Typically you need to authenticate the request where you exchange the authorization code for an access token by providing the client id and secret as a basic auth header or directly in the request body.
For any request when using OAuth, you will only use the access token and send it in the Authorization header. There is nothing to inherit, apart from using the access token to access any protected resource.
Are you sure you are not confusing the API key with the OAuth token? (no offense intended). It would help if you could add some screenshots to eliminate any confusion.
Thanks for the quick response.
The system I’m accessing is oAuth2 and uses an API Key. From the docs -
Connect CRM APIs support OAuth 2.0, a secure authorization framework for providing limited access to data on a web server, using the Client Credentials grant type.
Accessing an API with OAuth 2.0 involves obtaining a temporary access token and using this token to request a set of resources. For more information, refer to RFC 6749 - The OAuth 2.0 Authorization Framework.
Our APIs also support “scopes,” which trim data as appropriate for the client application. All external, 3rd party applications must use the ‘ PublicAPI ’ scope when placing requests to the Connect CRM APIs.
So every request needs the Bearer and API. I get the Bearer automatically fro the collection but I’d also like to get the API ket rather than having to put it into each and every header.
Once again, thanks!
At least from the snipped pasted here, there is no mention of an API key.
You use the OAuth 2 Client Credentials Flow to get an access token and use that access token for all other requests.
Thanks but every request needs both Bearer and API key.
From the docs -
In the table below, you will find the header keys and example values. Be sure to check the allowed Accept and Content-Type headers for each endpoint, as there are differences between endpoints.
| Key | Example Values | Required | Description |
|---|---|---|---|
| Authorization | Bearer 123456789 | Yes | Required token to verify your application’s identity and scope. Expires every 60 minutes. |
| api_key | asdf1234jkl;56789 | Yes | Required key to regulate endpoint access and usage limits. API keys do not expire but may be throttled to manage API or system performance. |
| Accept | application/json |
application/vnd.coxauto.v1+json
application/vnd.coxauto.V3+json
application/xml|Yes|The format of the server response (including API version) expected by your client application.|
|Content-Type|application/json
application/vnd.coxauto.v1+json
application/vnd.coxauto.V3+json
application/xml|Yes*|The media type format of the current request (or response). *Required only in PUT or POST requests.|
So I need both for each and every request.
Sorry if I’m not showing this correctly. It seems to me that the Bearer auth gets you into the system and then they use the API Key for determining what parts you can access.
Thanks again. Ray
Ok, in this case to the following:
Create a header called Authorization and set it to the OAuth access token you get as a result of the flow.
Additionally, create a header called api_key and use your API key.
You can add both headers at a folder or collection level.
Thanks so much! I’ll try it tomorrow!
Just to follow-up on this a little. You should put the value for the API key in the collection/folder/environment variables and assign it to the header value in the request using the mustache {{your_variable_name}} so that you can change this easily. You should set your OAuth2 bearer using the same same approach but I personally we would set it up in test script for the get OAuth2 flow call, using something like:
pm.environment.set("oauth2_bearer",value_of_token)
that will make it so that you can call any number of endpoints easily on their API without having to change/add values as you call each of the methods that you want to call in the collection.
Hope that all makes sense.
Mason,
Thanks! That helps. But the OAuth2 expires every hour, so I have to keep going back to renew it. The token name is always the same so I have multiple and growing. I know how to manually delete them but can I use mustache variable with possibly multiple same token names? Will it select the latest?
I appreciate your kind assistance.
Ray
Hey @RayinTampa:
So, here I guess I wasn’t clear 
My fault sorry. You should put this request in a folder called “Setup” or some such one. You could then use the runner to call setup first and the value will be there. If you want to run test manually over time, you can call this request and let it set the variable for you. Since you are storing it in the environment, it will be available to all items in your collections.
The only request you need to call is the one that sets the variable. In the Test script for this request get the token and set it in the variable. That way when ever you need to “reset” it you can do it easily, by simply running it again. If you are using the runner, then make sure the Setup folder is first (top of the list of folders) it will run it for you before it runs the lower ones so it will, again, set the value for your run.
A more complex way, but one where you don’t have do anything to get a new token each time you run any test in the collection, is to set the value using the pm.sendRequest in the pre-scriptto get and store it in the variable like always.
Here is the quick code list of what to do in the folder (if you put all your stuff in one folder) or collection (if you want it run every time no matter what):
That should let you not have to deal with getting the token at all.
If I have a chance to show something like this I will reply here with some sample code.
I would like to point out that this same behavior is required in Etsy v3 API, both OAuth 2.0 access token as Bearer header and x-api-key header are required.