App Store REST API

Allowing your application to call API's and perform actions on sites and accounts

There are two different types of authentication required to call the App Store API:

  • Basic Authentication: This is a static username and password that authenticates your requests to your application. It is required to be added to every API call you make for your application. Use basic HTTP Auth to authenticate your request.
  • Duda Access Token: Is a unique, short-lived, token that gives you access to APIs for a specific site. This token is a Bearer token. If your application is uninstalled, your token expires or your access is revoked, you will not be able to successfully call the API to access this resource.

Here is an example GET Site request using both authentication headers:

curl -X GET \
https://<duda-environment-URL>/api/integrationhub/application/site/{{site_name}}/ \
  -H 'Authorization: Basic ZG9jdW1lbnRhdGlvbjpleGFtcGxlMQ==' \
  -H 'X-DUDA-ACCESS-TOKEN: Bearer ee69a4b4-b843-4e4b-8cf6-e7ff645a1535'

Basic Authentication Credentials

Duda will provide you with a username and password to use when making calls to the API. The provided credentials will work for both the sandbox and production environments.

To create the HTTP Authorization Header, you should combine your username and password into one string, separated by a colon and then Base64 encode that string. So for example, 'exampleUser:[email protected]' combination would result in the header:

Authorization: ZXhhbXBsZVVzZXI6YmUkdHBAc3M=

Duda Access Token

When an application is installed as part of the installation callback you will receive both a refresh_token and an authorization_code token. The authorization code can be used immediately to access APIs which are in the scope of your application. The refresh_token should be stored and saved for use later to generate new access_tokens.

Authorization_code tokens are valid for 12 hours. After they expire, you must refresh the token using the refresh token and your basic authentication credentials:

curl -X POST \
  https://<duda-environment-api-url>/api/integrationhub/application/{{appUuid}}/token/refresh \
  -H 'Authorization: Basic ZG9jdW1lbnRhdGlvbjpleGFtcGxlMQ==' \
  -H 'Content-Type: application/json' \
  -d '{"refreshToken": "c7ea6d25-7f5e-4d1b-b569-bbd2e102c7a4"}'

After sending the above request to generate a new authorization code, you will get the following response:

    "type": "bearer",
      "authorization_code": "a8b88a96-d0d5-4dc8-b397-9da3044a03bc",
      "refresh_token": "c7ea6d25-7f5e-4d1b-b569-bbd2e102c7a4",
      "expiration_date": 1543977362382

The new authorization_code will be valid for another 12 hours. Duda will return a 401 Unauthorized HTTP Code when an authorization_code has expired. Once you receive a 401, you can generate new code at that time and store it for use.

The process we recommend implementing to manage auth_codes that can expire.The process we recommend implementing to manage auth_codes that can expire.

The process we recommend implementing to manage auth_codes that can expire.


Credentials Security Best Practice

Using a pair of a permanent refresh-token and a temporary access-token allows App Providers to establish more secure practices.
It is recommended that providers will:

  1. Store the permanent refresh-token and restrict access to it to a single utility function.
  2. All functions which require a temporary access token to use APIs should retrieve it from the utility function.
  3. The utility function should keep the temporary access-token in memory.

Complete API reference

See REST API Reference.

App Scopes

The manifest of your app specifies which APIs it can access and which webhooks it can register to.
When the user installs an application, the scopes are presented to the user for confirmation.

When applications are created for the first time on the Duda Sandbox environment, they will be given all existing scopes in order not to block development. The Duda team will work with you to narrow down scopes to relevant ones before the app goes live.




APIs and webhooks which don't require a scope

Get Branding



Get account info


Get site
Get site backups



Update site
Upload resources



Publish site
Create site backup
Get site backups
Restore site



Get Site-wide widgets
Update Site-wide widgets


Get pages
Get page


Update page
Delete page
Upload resources


Get Content Library Data
Get Location Data



Update content library data
Publish content library changes
Create additional location
Update Location
Delete location
Upload resources


Get Inject Content Values


Inject content
Upload resources


Get Site Collections
Get Collection


Create Collection
Update collection
Delete Collection
Add new rows to collection
Update Collection Rows
Delete Collection Rows
Add new field to collection
Delete collection field
Update Field Name


Get contact form data
Get analytics



Get site backups



Get site backups
Restore site



Generate SSL Certificate
Delete SSL Certificate
Renew SSL Certificate

Did this page help you?