Authorize in Space
Space security is based on access tokens: secrets that are used for authenticating API requests. To communicate with Space, an application must first get an access token. Then it can use this token to send requests to Space. For example:
The access token not only authenticates the application in Space (confirms that the application is registered in the system) but also authorizes it (defines what the application is allowed to do in the system).
When calling the Space API, an application can act either on its own behalf, or on behalf of a Space user. When acting on its own behalf, it is restricted by permissions granted to the application by the Space administrator. When acting on behalf of a user, it is restricted by permissions granted to the application by the user. Users can only grant permissions that they have by themselves.
For example, a chatbot typically posts messages on behalf of itself: in a chat channel, you see this application as the message author. An application which creates an Issue in Space as a result of a user action in some third-party system, may act on behalf of that user. Though, the application creates the issue, the issue author is a particular Space user.
The methods of getting an access token are different depending on the subject. See the On behalf of column in the table below.
Get an access token
To get an access token, your application should use one of the authorization methods supported by Space: one of the OAuth 2.0 authorization flows or authorization with a permanent token. See details below.
On behalf of
You can use it for testing applications that are still in development
User or application
Unlike OAuth 2.0 flows where the application obtains a temporary token for each communication session, a permanent token never expires. This makes this authorization method less secure though easier to implement.
Web applications with authorization logic on the server
The application sends a user to Space via a link that also includes the scope of required resources. After the user logs in to Space, Space redirects the user back to the application using the specified redirect URI. The redirect also contains an authorization code. The application uses the authorization code to obtain an access token from Space.
In Space, the Authorization code flow is used in conjunction with the Refresh code flow. The application gets not only an access token but also a
Applications that need to access resources on behalf of themselves, for example, chatbots.
The application receives an access token from Space by sending it
Resources that require user authorization cannot be accessed using the Client Credentials flow. Use other flows that allow your script to act on behalf of the user.
Rich client web applications with authorization logic in a browser
The application sends a user to Space via a link that also includes the scope of user account permissions. After the user logs in to Space, Space redirects the user back to the application using the specified redirect URI. The redirect contains an access token for the application.
Potentially, you can use it for scripts that need to access resources on behalf of a user
A user provides the application their Space user credentials and the application uses them to get full access to Space on behalf of the user. We do not recommend that you use this flow as it is not secure.
You don't have to explicitly enable this flow as it is enabled by default for all registered applications.
OAuth 2.0 endpoints
Space's OAuth 2.0 endpoints:
How to implement authorization in your application
If you create your application on top of the Space SDK, you can use the
SpaceHttpClient class and its extension methods to implement a particular authorization method.
If you don't use the Space SDK, you can follow the generic instructions provided in this documentation.
You can experiment with different authorization ways in the Space Authorization Playground.
To open Authorization Playground
On the main menu, click to expand the menu, then choose Extensions.
On the Extensions sidebar, choose Authorization Playground.