Getting Started

1. After logging in, you will be taken to the CORE Developer Portal dashboard.
   The Dashboard is your home page that displays when you log in to CORE Developer Account. All your apps and their credentials rest here. You can add, update, and delete your apps from your dashboard.
   
2. On the dashboard, click Add New Application.

3. Choose your application name, application type and redirect URI. Enter the description of your application and then click Create.
   
4. You will be prompted to copy your client secret key. Click OK to complete.
   
   The client secret is only generated when your app type is web. The key generated above is for illustration only. It SHOULD NOT be used in an application.
   

Your app needs OAuth keys in order to make a secure connection with CORE. When you create your app, you must include the keys and tokens to get going.

1. From your CORE Developer Portal , click on app details button.
   
2. The app displays the dashboard with your App Name, Client ID and Description. From the Developer Portal dashboard, you will be able to manage your apps, keys and other things.
   
   In case your application type is web, you can generate a new client secret key. Go to the dashboard screen, choose the web application for which you want to generate a new client secret, click on app details button and click on Generate New.

Get Access Token

CORE APIs use the OAuth 2.0 protocol. It is simple and more straightforward to use for authentication and authorization. Developers can start using the APIs almost immediately.

CORE APIs require authentication on all requests made on behalf of a user. Authenticated requests require an access token. These tokens are unique to a user and should be stored securely. In order to obtain an access token, your app needs users to log in with their CORE company credentials and grant the requested permissions. Because the access tokens have an expiry time, your app needs a new access token every time the old one expires. You can get a new access token by repeating the authorization steps and asking the users for consent again or you can use a refresh token to get a new access token behind the scenes. This bypasses the need to repeatedly ask the users for consent. To know more, check out Tokens.

Server-Side Flow

Initiate the OAuth 2.0 process by redirecting the user to the CORE authentication server. To obtain access to the CORE API resources, you will require an access token. To receive the token, follow the steps given below:

Step 1: Direct your users to our authorization URL.

GET /connect/authorize?client_id=Q3ylJatCvnkYqVKLmkH1zWlNzNWB5CkYB36b5mws7HkKUEv9aI&response_type=code&scope=readwrite:core&redirect_uri=https://coredemo.com/

Where:

Parameter	Values	Description
client_id	The Client ID you obtain from the developer dashboard	Required. Identifies which app is making the request. Obtain this value from the Keys tab on the app profile via My Apps on the developer site
scope	Space-delimited set of permissions that the application requests	Required. Identifies the CORE API access that your application is requesting. The values passed in this parameter inform the consent screen that is shown to the user Available scopes include: read:core- Read only access to company data readwrite:core- Full access to company data offline_access - To recieve a Refresh Token openid- Provides access to a user's details like name, address, etc. profile- Provides access to a user's profile excluding address and email address- Provides access to the address claim at the UserInfo endpoint email- Provides access to the email claim at the UserInfo endpoint
redirect_uri	One of the redirect URI values listed for this project in the developer dashboard.	Required. Determines where the response is sent. The value of this parameter must exactly match one of the values listed for this app in the app settings. This includes the https scheme, the same case
response_type	code	Required. Determines whether CORE API OAuth 2.0 endpoint returns an authorization code. Always set this to the code
state	This field can be a Base64 encoded JSON object that can hold multiple values	Authorization protocols provide a state parameter. During authentication, the application sends this parameter in the authorization request, and the Authorization Server will return this parameter unchanged in the response. Your application can use this parameter in order to make sure that the response belongs to a request that was initiated by the same user. Therefore, state helps mitigate CSRF attacks. Restore the previous state of your application

You may provide a scope parameter to request additional permissions outside of the "basic" permissions scope.
You may provide an optional state parameter to carry through a server-specific state. For example, you can use this to protect against CSRF issues.

Step 1(a). Users are taken to the CORE Log In screen and enter their CORE company credentials here.

Step 1(b). CORE displays a consent dialog to the users with the name of your application, requesting permission to access data. Users can modify the scope requested by your application and also select the CORE company, in case a user has multiple companies.

Step 1(c). When done, the users click on Grant Permission to grant the selected permissions to your app. If a user allows offline_access on this page, you have the option to use the refresh token to keep the user signed-in indefinitely without having to ask for consent again.

http://yourdemoapp.com?code=CODE