How to build a private app?


(Ankush Thakur) #1

Hello, I’m a developer looking to build a private app for my company. More specifically, I need to develop something that will receive webhook updates and then make REST calls in response (no front-end at all). I have registered my application, but it looks like the rest of the process involves a demo and then submission to the marketplace. What if I don’t want to go that route? What are the recommended steps for me, broadly speaking?

Thanks in advance!


(John Borelli) #2

I guess it would depend on what you are referring to by “I have registered the process”. It sounds like you’re saying you’ve registered or applied to place it on the marketplace because registering isn’t necessary. Only other kind of registering you would need to do is for your Mashery/OAuth client id/secret and your REST endpoints, neither of which have anything to do with demos or the marketplace.


Problem obtaining request token
(Ankush Thakur) #3

Hey @John_Borelli, thank you so much for answering. I’m actually quite confused, to be honest, and thought that creating an app was the only way to go, except that it won’t have a front-end. So, you’re saying I don’t need to create an app? I have obtained a client id and secret, but I don’t know how to setup a URL for receiving webhooks, how to subscribe to them, etc. Also there’s also API throttling. How can this limit be increased?

Thank you so much in advance! :slight_smile:


(John Borelli) #4

Are you just wanting to use REST hooks? If so then you only need your credentials to validate the end point(s). From there all you have to do is be able to work with the data structure that is sent to those endpoints. So while you will need the client id/secret to register the end points, if you’re only using the hooks then you won’t need them after that. Git hub has examples on how to do this and there is more than one way to accomplish this.

There is a built in method to the api that validates called $infusionsoft->resthooks()->autoverify() or you can just capture the X-Hook-Secret header entry and pass it back to IS. This will verify the endpoint.

Now if you’re just referring to using the REST api (in other words you wish to make requests to the Infusionsoft endpoints) then you can either do so with something like cURL or you can use functions that are built into the api support files found here:

Which have sample code on the matter as well. If the REST api (not REST hooks) are what you are needing to use, then you will need to also manage the access token once you’ve got it by refreshing to get a new set of tokens every 24 hours. This is most commonly done with a simple database table and a timed service on a CRON job.


(Ankush Thakur) #5

Thank you, but things are still mixed up for me. :stuck_out_tongue:

I can handle the JSON communication and databases and all that; I’m just not sure how the account is going to be connected.

Considering I only need to receive webhook updates, I think I need to do the following:

  • Register an app as a developer (Done)
  • Obtain client secret and key for the app (Done)
  • Specify a callback URL for the app (Done, but here are some questions: Is this the URL that will receive webhooks? If yes, I’m surprised it doesn’t insist on HTTPS.)
  • Now, how do I connect my InfusionSoft account (as an admin) with this developer account that registered the app? I mean, how will InfusionSoft know which account’s data to send to the callback URL?
  • Finally, are the GitHub examples you referred to these?
    https://github.com/infusionsoft/infusionsoft-php/tree/master/samples

If this process is documented somewhere clearly, please provide the link and I’ll go through it first. It just seems very confusing to me. :confused:


(John Borelli) #6

Ok, so as to how IS knows what app is to be used, the access key you use to request endpoint validation must first have been authorized through the oauth process. This means that once you have a validated endpoint, that endpoint is registered for that authorized app. Nothing more needs to be done there.

I know that in documentation, the callback for oauth requires https but I don’t think the url that is validated as an endpoint has to be.

Yes, those are the github examples I have referred to. Keep in mind that in all but one example, they are referring to REST ‘calls’ not REST hooks. There is one example that includes validating the hooks but both are worked with completely differently. So the hooks use REST calls to get information like a list of registered endpoints but once the endpoint is validated, you really only need to have a script that captures the data and then uses it as you see fit.

For the case of using the REST hooks, you also would not need to maintain the tokens as they are only necessary for validation or for REST calls. You could register the endpoints and from there just have a script that receives data from IS and does something with it. Now if you need to write back to an IS app then that is different and you would need to maintain the keys.

I personally separate these processes. So I use a folder for running api work. But I also have a separate folder with subfolders for each end point like …/contact/create or …/contact/delete and in each I place a single index.php file that reads the request body, gets the JSON code from IS and then processes through that information.

With normal api/REST calls it is business as usual with using a valid access token and making call outs to create contact, apply tags etc.

If you look here at documentation on REST hooks/calls:

https://developer.infusionsoft.com/docs/rest/#!/Rest_Hooks/listHooksUsingGET

it goes over using REST calls to establish REST hooks (among other things). I think you are mostly confused because you are approaching the use of hooks and calls as if they would work the same, understanding that they have some things in common but are not worked with the same. What’s in common is that REST calls are used to define/establish the hook endpoints. But what’s not in common is that the endpoints, having been registered, do not need to make REST calls (although they can). The calls require access token use and maintenance which includes a call for creating the hook reference but the hooks just have to sit there and be ready to receive data.


(Ankush Thakur) #7

No, I’m not confused about REST hooks vs. calls. I think hooks allow one to receive events as they happen (but then, what is the callback URL for?) while a REST call is a simple hit on an endpoint.

I was confused about how to get started, but I worked it out with some help from the docs. I was able to obtain the code from InfusionSoft but am now stuck with the next step in OAuth: receiving token.

When I send a POST request from the registered domain, I get the following error:

HTTP/1.1 401 Unauthorized
Cache-Control: no-store
Connection: keep-alive
Content-Length: 26
Content-Type: application/json;charset=UTF-8
Date: Fri, 19 May 2017 13:53:25 GMT
Pragma: no-cache
Server: Mashery Proxy
WWW-Authenticate: Basic realm="api.infusionsoft.com"
X-Error-Detail-Header: Account Inactive
X-Mashery-Error-Code: ERR_403_DEVELOPER_INACTIVE
X-Mashery-Responder: prod-j-worker-us-west-1c-63.mashery.com

{
    "error": "invalid_client"
}

What does this mean? That my client ID is incorrect? Or something else? I sent the POST request containing the required params from the command line.


(Ankush Thakur) #8

Ah, never mind. I figured it out. I was using the httpie tool and not using the -f option. Now I have obtained the token. :slight_smile: Will post further questions in new threads. Thank you so much for being patient and giving detailed replies!


(Sam Brody) #9

Would you mind sharing the code from IS you used to gain an access token (pref in curl)? I would like to subscribe to contact.added events using a web hook, i am super confused as well on how to get started (i got client id + secret, dev account…)…


(Ankush Thakur) #10

Hey, Sam. Sorry for the late reply. I used the following curl command to get access token:

curl --data "client_id=client_id&client_secret=client_secret&code=my_code&grant_type=authorization_code&redirect_uri=https://infs.organifi.com" https://api.infusionsoft.com/token

You’ll have to replace the values for client_id, client_secret and code, of course. Hope this helps.