App Store REST API

Allowing your application to call API's and perform actions on sites and accounts

There are two different types of authentication required to call the App Store API:

  • Basic Authentication: This is a static username and password that authenticates your requests to your application. It is required to be added to every API call you make for your application. Use basic HTTP Auth to authenticate your request.
  • Duda Access Token: Is a unique, short-lived, token that gives you access to APIs for a specific site. This token is a Bearer token. If your application is uninstalled, your token expires or your access is revoked, you will not be able to successfully call the API to access this resource.

Here is an example GET Site request using both authentication headers:

curl -X GET \
https://<duda-environment-URL>/api/integrationhub/application/site/{{site_name}}/ \
  -H 'Authorization: Basic ZG9jdW1lbnRhdGlvbjpleGFtcGxlMQ==' \
  -H 'X-DUDA-ACCESS-TOKEN: Bearer ee69a4b4-b843-4e4b-8cf6-e7ff645a1535'

Basic Authentication Credentials

Duda will provide you with a username and password to use when making calls to the API. The provided credentials will work for both the sandbox and production environments.

To create the HTTP Authorization Header, you should combine your username and password into one string, separated by a colon and then Base64 encode that string. So for example, 'exampleUser:[email protected]' combination would result in the header:

Authorization: ZXhhbXBsZVVzZXI6YmUkdHBAc3M=

Duda Access Token

When an application is installed as part of the installation callback you will receive both a refresh_token and an authorization_code token. The authorization code can be used immediately to access APIs which are in the scope of your application. The refresh_token should be stored and saved for use later to generate new access_tokens.

Authorization_code tokens are valid for 12 hours. After they expire, you must refresh the token using the refresh token and your basic authentication credentials:

curl -X POST \
  https://<duda-environment-api-url>/api/integrationhub/application/{{appUuid}}/token/refresh \
  -H 'Authorization: Basic ZG9jdW1lbnRhdGlvbjpleGFtcGxlMQ==' \
  -H 'Content-Type: application/json' \
  -d '{"refreshToken": "c7ea6d25-7f5e-4d1b-b569-bbd2e102c7a4"}'

After sending the above request to generate a new authorization code, you will get the following response:

{
    "type": "bearer",
      "authorization_code": "a8b88a96-d0d5-4dc8-b397-9da3044a03bc",
      "refresh_token": "c7ea6d25-7f5e-4d1b-b569-bbd2e102c7a4",
      "expiration_date": 1543977362382
}

The new authorization_code will be valid for another 12 hours. Duda will return a 401 Unauthorized HTTP Code when an authorization_code has expired. Once you receive a 401, you can generate new code at that time and store it for use.

The process we recommend implementing to manage auth_codes that can expire.The process we recommend implementing to manage auth_codes that can expire.

The process we recommend implementing to manage auth_codes that can expire.

❗️

Credentials Security Best Practice

Using a pair of a permanent refresh-token and a temporary access-token allows App Providers to establish more secure practices.
It is recommended that providers will:

  1. Store the permanent refresh-token and restrict access to it to a single utility function.
  2. All functions which require a temporary access token to use APIs should retrieve it from the utility function.
  3. The utility function should keep the temporary access-token in memory.

Complete API reference

See REST API Reference.

App Scopes

The manifest of your app specifies which APIs it can access and which webhooks it can register to.
When the user installs an application, the scopes are presented to the user for confirmation.

When applications are created for the first time on the Duda Sandbox environment, they will be given all existing scopes in order not to block development. The Duda team will work with you to narrow down scopes to relevant ones before the app goes live.

Scope

APIs

Webhooks

APIs and webhooks which don't require a scope

Get Branding

BRANDING_CHANGED

GET_ACCOUNT_DETAILS

Get account info

GET_WEBSITE

Get site
Get site backups

PUBLISH
UNPUBLISH
DOMAIN_UPDATED

UPDATE_WEBSITE

Update site
Upload resources

DOMAIN_UPDATED

PUBLISH_SITE

Publish site
Create site backup
Get site backups
Restore site

PUBLISH
UNPUBLISH
DOMAIN_UPDATED
BLOG_POST_PUBLISH

SITE_WIDE_HTML

Get Site-wide widgets
Update Site-wide widgets

GET_PAGES

Get pages
Get page

UPDATE_PAGES

Update page
Delete page
Upload resources

GET_CONTENT_LIBRARY

Get Content Library Data
Get Location Data

CONTENT_LIB_PUBLISHED
CONTENT_LIB_CHANGED

UPDATE_CONTENT_LIBRARY

Update content library data
Publish content library changes
Create additional location
Update Location
Delete location
Upload resources

GET_INJECT_CONTENT

Get Inject Content Values

UPDATE_INJECT_CONTENT

Inject content
Upload resources

GET_COLLECTION

Get Site Collections
Get Collection

UPDATE_COLLECTIONS

Create Collection
Update collection
Delete Collection
Add new rows to collection
Update Collection Rows
Delete Collection Rows
Add new field to collection
Delete collection field
Update Field Name

REPORTING

Get contact form data
Get analytics

CONTACT_FORM_SENT

GET_BACKUP

Get site backups

SITE_RESTORED

MANAGE_BACKUPS

Get site backups
Restore site

SITE_RESTORED

UPDATE_SSL

Generate SSL Certificate
Delete SSL Certificate
Renew SSL Certificate


Did this page help you?