User API requests are performed with the user access token. User access tokens are tied to a specific user and integration. Data returned from User API calls will be "scoped" to a specific user. If you are working with assignments, submissions, and grades, these requests will also contain important permissions checks to ensure that the user has the necessary permissions to access the requested data.
Generating User Access Tokens
User access tokens are generated during the OAuth 2.0 SSO flow. A full guide on Edlink's OAuth 2.0 implementation is available at the link below.
The result of this flow is an access token and a refresh token. The access token is used to make requests to the User API. The refresh token is used to obtain a new access token when the current access token expires.
- You may have many user access tokens for a single integration.
- You may have many user access tokens for a single user.
- Access tokens always expire after 60 minutes.
- Refresh tokens do not expire.
- While it is not strictly forbidden, it is suggested that you do not expose the access token or refresh token to the frontend. Instead, we suggest storing them in your database and using them on the backend.
- If you believe that a user access token or refresh has been compromised, you should contact us immediately.
Making Requests With User Access Tokens
Using the integration access token is simple. Add the token to the authorization header of your request.
axios.get('https://ed.link/api/v2/my/classes', {
headers: {
authorization: `Bearer ${user_access_token}`
}
});