If you have any question left, please drop a note with the discussion link of this page.

From Wiki.zanox.com

This page is for developers looking to integrate zanox Connect into their applications.

zanox Connect is zanox's single sign-on solution for integrating applications developed using Web Services under one security platform. It is based on the OAuth protocol also used by Facebook. The essence of zanox Connect is that every request to zanox Web Services APIs must be made with identifying credentials. These credentials consist of:

• credentials created when you create an application in the zanox Application Store - and
• credentials obtained with an authorization token provided to your application as part of the connect flow.

The entire zanox Connect flow is described in detail in the step-by-step guide. The flow for the various kinds of applications, and the credentials provided by zanox Connect, is summarized below.

Integrating non-widget applications with zanox Connect

Non-widget applications require the user to log on using zanox Connect. You have successfully configured your application - meaning the user will be re-directed to the Connect login page as necessary, then sent to your application - when:

1. the Website URL: under the General tab contains a link to the zanox Connect login page ("http://auth.zanox-affiliate.de/login?appid=YOUR_APPLICATION_ID"); and
2. the Callback URL: under the zanox Keys tab contains a link to the page that should be called when the zanox Connect login is successful. This link will be passed the authorization token, e.g. http://YOUR_CALLBACK_URL?authtoken=AUTHTOKEN, which you will then pass to the getSession() method to initialize a zanox Connect session.

The session object returned by getSession() should be stored by your application and used to make API calls.

The entire process is outlined here:

• Step 1 - Connect your application or site with zanox
• Step 2 - Authenticate the user
• Step 3 - Use the authorization token to retrieve the user credentials
• Step 4 - Get the user credentials
• Step 5 - Use zanox Web Services

and an example can be found in the PHP Client documentation.

The following diagram illustrates the process:

Defining the various credentials

It is important to understand the various credentials used by zanox Connect. A frequent point of confusion is that there are two sets of Connect ID and Secret Key, one used by the developer to make calls on his own behalf, i.e. to access data in his zanox account, and the second used by the application to make calls on behalf of the user.

The following credentials are created along with the application in the Application Store:

• Application ID: used to call the zanox Connect login page.
• Connect ID (developer): used to identify the developer when making API calls.
• Public key: used to identify the application when making API calls.
• Secret key (developer): used to sign a hash-based signature when making secure calls (a big advantage of the client libraries is that the creation of the signature is done for you). We strongly recommend keeping this key off of the client side, where it can be freely read in the source code of any browser.

The following credentials are created after the user has successfully logged in to an application:

• Authorization token: used to start a zanox Connect session. It is a so-called "single-use token" which is passed to the application once the user is logged in and is invalid once it has been used to call the API method getSession(). GetSession() then returns the rest of the credentials.
• Connect ID (application user): used to identify the user when making API calls.
• Secret key (application user): used to sign a hash-based signature when making secure calls on behalf of the user (a big advantage of the client libraries is that the creation of the signature is done for you). We strongly recommend keeping this key off of the client side, where it can be freely read in the source code of any browser
• Session key: used to identify the zanox Connect session. Expires after 2 hours, after which the user's data can no longer be accessed.
• Offline token: alternate authorization token that does not expire; used to call GetOfflineSession() without the user being logged in, which in turn is used to make asynchronous data requests.

Quick start guides

The following tutorials are a mix of overview information and technical details to help you get started:

• File:Zanox Connect Quick Start Guide Developer EN.pdf
• File:Zanox Application Store Quick Start Guide Developer EN.pdf
• File:Zanox Web Services Quick Start Guide Developers EN.pdf