Authentication

In order to use the Daisycon API you will need to have an advertiser or publisher account (or both). If you don’t already have an account, you can visit Daisycon.com to create an account.

Method: oAuth with PKCE (recommended)

The Daisycon API only supports oAuth 2.1 with PKCE for publisher and advertiser users (leadgeneration accounts will follow soon).

Authenticating via oAuth consists out of a series of steps.

Setup a developer account
Create an app and retrieve your client ID and client secret
Perform an authorization call and token exchange
Start using the API
Perform a refresh call
Common issues
Other documentation & code examples

Setup a developer account

Before you can start using oAuth you will need te setup a developer account in the MyDaisycon interface. It’s not possible to only setup a developer account, you will need to have access to either a a publisher or an advertiser account.

If you have not yet setup a developer account, checkout our documentation here

Create an app and retrieve your client ID and client secret

After creating a developer account, you will need to register an app in the Daisycon system. This will give you a client ID and a client secret to use on your oAuth authentication flow.

When creating an app, think clearly about the permissions the app needs, you would not want to give the app permissions to change your user and account settings if all it needs to do is fetch statistics.

The user that will create the oAuth connection also needs to have these permissions

If you have not yet created an app, checkout our documentation here

Perform an authorization call and token exchange

If you use server-to-server authentication we have a detailed guide available for oAuth over CLI

The oAuth process is a series of handshakes between your application/server and our API.

An oAuth connection is made for 1 publisher or advertiser account if you need access to multiple accounts. You will have to make multiple oAuth connections and store multiple refresh tokens!

Follow the guide below to setup your oAuth process.

Start by generating a unique code verifier inside your client app for this request. The code verifier is must be a random string of the following characters: [A-Z] / [a-z] / [0-9] / “-” / “.” / “_” / “~”,with a minimum length of 43 characters and a maximum length of 128 characters. Be sure to store this code verifier in the users session (see rfc).

PHP example:

function randomString(int $length): string
{
	if ($length < 1)
	{
		throw new InvalidArgumentException('Length must be a positive integer');
	}
	$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-._~';
	$length = strlen($chars) - 1;
	$out = '';
	for ($i  =0; $i < $length; ++$i)
	{
		$out .= $chars[random_int(0, $length)];
	}
	return $out;
}

$codeVerifier = randomString(random_int(43, 128));

Javascript example:

function generateRandomString(length) {
	let randomString = '';
	let allowedChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

	for (let charNumber= 0; charNumber < length; ++charNumber) {
		randomString += allowedChars.charAt(Math.floor(Math.random() * allowedChars.length));
	}
	return randomString;
}

function getRandomInt(max) {
  return Math.floor(Math.random() * max);
}

const codeVerifier = generateRandomString(getRandomInt(128));

From the generated code verifier create a code challenge. This is the base64 url encoded sha-256 hash of the code verifier.

PHP example:

/**
 * Get hash
 *
 * @param string $code
 * @return string
 */
private function hash(string $code): string
{
	return str_replace(
		'=', 
		'', 
		strtr(
			base64_encode(
				hash('sha256', $code, true)
			), 
			'+/', 
			'-_'
		)
	);
}

$codeChallenge = hash($codeVerifier);

Javascript example:

async function generateCodeChallenge(codeVerifier) {
	let digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(codeVerifier));

	return btoa(String.fromCharCode(...new Uint8Array(digest)))
		.replace(/=/g, '')
		.replace(/\+/g, '-')
		.replace(/\//g, '_');
}

const codeChallenge = await this.generateCodeChallenge(codeVerifier);

Redirect the user to the Daisycon oAuth URL. (Be sure to URL encode all query param values and make sure your redirect URI is registered to the app)

https://login.daisycon.com/oauth/authorize?response_type=code&client_id=APP_CLIENT_ID&redirect_uri=APP_REDIRECT_URI&code_challenge=GENERATED_CODE_CHALLENGE

When using Sandbox use:

https://login.daisycon.com/oauth-sandbox/authorize?response_type=code&client_id=APP_CLIENT_ID&redirect_uri=APP_REDIRECT_URI&code_challenge=GENERATED_CODE_CHALLENGE

* Optionally you can add the state parameter with your own data, this will be returned to the callback redirect url.

After a successful login the oAuth will redirect back towards your redirect URI with a code (if passed in the request, your state)
```
https://your-redirect.uri/and/path?code=OAUTH_CODE[&state=YOUR_STATE]
```

With your received code make a server side POST call. (If your APP is a client side app, do NOT include your client secret!).

PHP example (with client secret). For Sandbox use “https://login.daisycon.com/oauth-sandbox/access-token”:

function httpPost($url, $data)
{
    $curl = curl_init($url);
    curl_setopt($curl, CURLOPT_POST, true);
    curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($data));
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    $response = curl_exec($curl);
    curl_close($curl);
    return $response;
}

$response = httpPost(
	'https://login.daisycon.com/oauth/access-token',
	[
		'grant_type'    => 'authorization_code',
		'redirect_uri'  => 'APP_REDIRECT_URI',
		'client_id'     => 'APP_CLIENT_ID',
		'client_secret' => 'APP_CLIENT_SECRET'
		'code'          => 'RECEIVED_AUTH_CODE',
		'code_verifier' => 'GENERATED_CODE_VERIFIER',
	]
);

Javascript example (without client secret!):

try
{
    const data = {
        grant_type: 'authorization_code',
        code: 'RECEIVED_AUTH_CODE',
        client_id: 'APP_CLIENT_ID',
        client_secret: '', // leave empty
        redirect_uri: 'APP_REDIRECT_URI',
        code_verifier: 'GENERATED_CODE_VERIFIER'
    };
    const response = await fetch(url, {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json'
        },
        body: JSON.stringify(data)
    );
    console.log(response.json());
} catch (e) {
    console.error(e);
}

You’ve now received an API access token that’s valid for 30 minutes and a refresh token that is valid for 30 days
Example response:
```
{
   "access_token":"string",
   "refresh_token":"string"
}
```

Start using the API

Now that you have an access token and a refresh token you can start using our API by supplying the access token in the Authorization header.

Perform a refresh call

After 30 minutes your authentication token expired and you can no longer use it to perform API calls. But no worries! You’ve also received a refresh token. You can use this refresh token once to fetch another set of an access token and a refresh token. You can repeat this process indefinitely (or at least until someone revokes your access via the interface)

To refresh your session using the refresh token, perform another POST call and you’ll receive a new access token and refresh token. (A refresh token can only be used once, so be sure to store the new refresh token!)

PHP example (with client secret). For Sandbox use “https://login.daisycon.com/oauth-sandbox/access-token”:

function httpPost($url, $data)
{
    $curl = curl_init($url);
    curl_setopt($curl, CURLOPT_POST, true);
    curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($data));
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    $response = curl_exec($curl);
    curl_close($curl);
    return $response;
}

$response = httpPost(
	'https://login.daisycon.com/oauth/access-token',
	[
		'grant_type'    => 'refresh_token',
		'redirect_uri'  => 'APP_REDIRECT_URI',
		'client_id'     => 'APP_CLIENT_ID',
		'client_secret' => 'APP_CLIENT_SECRET'
		'refresh_token' => 'RECEIVED_REFRESH_TOKEN',
	]
);

Javascript example (without client secret!):

try
{
    const data = {
        grant_type: 'refresh_token',
        refresh_token: 'RECEIVED_REFRESH_TOKEN',
        client_id: 'APP_CLIENT_ID',
        client_secret: '', // leave empty
        redirect_uri: 'APP_REDIRECT_URI'
    };
    const response = await fetch(url, {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json'
        },
        body: JSON.stringify(data)
    );
    console.log(response.json());
} catch (e) {
    console.error(e);
}

Common issues

Below are a few of the commonly known issues

I get the following error message: “Could not update token permissions due to the following constraint violation: User lacks service groups”
- When you receive this error it means the app is asking for permissions that the authenticating user does not have. This is most commonly caused by asking for more permissions than the app needs or by asking for permissions in the custom group. Custom permissions are setup for specific publishers only, you should only request those if your user has access to them. To see or update what permissions your user has, log into the account as an account admin go to settings -> connected users and click the user used to authenticate. Also check your app under tools -> daisycon api -> your developer account -> your app.
I get one of the following error message: “Client authentication failed” or “Invalid client”
- This could be caused by various mistakes. Due to security constraints the error will not tell you exactly what mistake you made. We recommend checking the list below in this order.
  - Your client ID is incorrect
  - Your redirect_uri is incorrect, please note the redirect uri needs to be identical to what has been entered including any trailing slashes! Query parameters are ignored and do not need to be entered when configuring a redirect uri
  - Your code verifier is incorrect
My app does not support user interaction, we have a server to server setup.
- This does not mean your app does not support user interaction, it does mean that your user interaction is via CLI though. Please checkout our detailed guide on setting up oAuth over CLI
Invalid protocol TLS.
- As of april 3rd 2023, the Daisycon API only supports TLS 1.3. TLS 1.3 is the latest update to Transport Layer Security. This encryption protocol is faster (reduces HTTPS overhead) and is more secure than TLS 1.2.

Authentication in the Swagger Daisycon API documentation

In the Swagger Daisycon API documentation, you can interact with most of the available API resources. Authentication is also required here. To get started, follow these steps:

Go to the Daisycon Common Data API documentation and locate the /authenticate call.
Click on Try it out to enable the fields for input.
In the body section, replace the "string" placeholders with your Daisycon username and password. Put them between the quotation marks
Click on Execute.

If successful, you will receive the required authentication token in the response body. Copy this token (a long string), but do not include the double quotes.

Next, go to the Swagger Daisycon API documentation for advertisers, publishers, or common data.
Click on Authorize (usually found at the top of the page).
In the Value field, paste the token you copied, preceded by Bearer (note the space after “Bearer”).
Click on Authorize again.

If successful, the status will show as Authorized, and you can now make API calls using the authenticated session.

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
_cfuvid	session	This cookie, set by Cloudflare, is used for applying rate limits to traffic where multiple unique visitors share the same IP address.
_GRECAPTCHA	6 months	Google Recaptcha service sets this cookie to identify bots to protect the website against malicious spam attacks.
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
rc::a	never	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
rc::b	session	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
rc::c	session	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
rc::f	never	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.

Cookie	Duration	Description
COMPASS	1 hour	The COMPASS cookie is used by Yahoo to deliver targeted advertising based on user's online behavior.
fr	3 months	Facebook sets this cookie to show relevant advertisements by tracking user behaviour across the web, on sites with Facebook pixel or Facebook social plugin.
NID	6 months	Google sets the cookie for advertising purposes; to limit the number of times the user sees an ad, to unwanted mute ads, and to measure the effectiveness of ads.
S	1 hour	Used by Yahoo to provide ads, content or analytics.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.

Cookie	Duration	Description
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.

Cookie	Duration	Description
pll_language	1 year	Polylang sets this cookie to remember the language the user selects when returning to the website and get the language information when unavailable in another way.
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
vc	session	The vc cookie is set by addthis.com on sites that allow sharing on social media.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
_fbp	3 months	Facebook sets this cookie to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising after visiting the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	2 years	Google Analytics sets this cookie to store and count page views.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.