Authentication

In order to use the Daisycon API you will need to have an advertiser or publisher account (or both). If you don’t already have an account, you can visit Daisycon.com to create an account.

Method 1: oAuth with PKCE (recommended)
The Daisycon API supports oAuth 2.1 with PKCE for publisher and advertiser users (leadgeneration accounts will follow soon).
To get started you’ll need to have a developer account and register an app for a client id and client secret.

The oAuth process is a series of handshakes between your application/server and our API.

An oAuth connection is made for 1 publisher or advertiser account if you need access to multiple accounts. You will have to make multiple oAuth connections and store multiple refresh tokens!

Follow the guide below to setup your oAuth process.

Start by generating a unique code verifier inside your client app for this request. The code verifier is must be a random string of the following characters: [A-Z] / [a-z] / [0-9] / “-” / “.” / “_” / “~”,with a minimum length of 43 characters and a maximum length of 128 characters. Be sure to store this code verifier in the users session (< href="https://datatracker.ietf.org/doc/html/rfc7636#section-4.1" target="_blank" rel="noopener noreferrer">see rfc).

PHP example:

function randomString(int $length): string
{
	if ($length < 1)
	{
		throw new InvalidArgumentException('Length must be a positive integer');
	}
	$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-._~';
	$length = strlen($chars) - 1;
	$out = '';
	for ($i  =0; $i < $length; ++$i)
	{
		$out .= $chars[random_int(0, $length)];
	}
	return $out;
}

$codeVerifier = randomString(random_int(43, 128));

Javascript example:

function generateRandomString(length) {
	let randomString = '';
	let allowedChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

	for (let charNumber= 0; charNumber < length; ++charNumber) {
		randomString += allowedChars.charAt(Math.floor(Math.random() * allowedChars.length));
	}
	return randomString;
}

function getRandomInt(max) {
  return Math.floor(Math.random() * max);
}

const codeVerifier = generateRandomString(getRandomInt(128));

From the generated code verifier create a code challenge. This is the base64 url encoded sha-256 hash of the code verifier.

PHP example:

/**
 * Get hash
 *
 * @param string $code
 * @return string
 */
private function hash(string $code): string
{
	return str_replace(
		'=', 
		'', 
		strtr(
			base64_encode(
				hash('sha256', $code, true)
			), 
			'+/', 
			'-_'
		)
	);
}

$codeChallenge = hash($codeVerifier);

Javascript example:

async function generateCodeChallenge(codeVerifier) {
	let digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(codeVerifier));

	return btoa(String.fromCharCode(...new Uint8Array(digest)))
		.replace(/=/g, '')
		.replace(/\+/g, '-')
		.replace(/\//g, '_');
}

const codeChallenge = await this.generateCodeChallenge(codeVerifier);

Redirect the user to the Daisycon oAuth URL. (Be sure to URL encode all query param values and make sure your redirect URI is registered to the app)
```
https://login.daisycon.com/oauth/authorize?response_type=code&client_id=APP_CLIENT_ID&redirect_uri=APP_REDIRECT_URI&code_challenge=GENERATED_CODE_CHALLENGE
```
* Optionally you can add the state parameter with your own data, this will be returned to the callback redirect url.
After a successful login the oAuth will redirect back towards your redirect URI with a code (if passed in the request, your state)
```
https://your-redirect.uri/and/path?code=OAUTH_CODE[&state=YOUR_STATE]
```

With your received code make a server side POST call. (If your APP is a client side app, do NOT include your client secret!).

PHP example (with client secret):

function httpPost($url, $data)
{
    $curl = curl_init($url);
    curl_setopt($curl, CURLOPT_POST, true);
    curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($data));
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    $response = curl_exec($curl);
    curl_close($curl);
    return $response;
}

$response = httpPost(
	'https://login.daisycon.com/oauth/access-token',
	[
		'grant_type'    => 'authorization_code',
		'redirect_uri'  => 'APP_REDIRECT_URI',
		'client_id'     => 'APP_CLIENT_ID',
		'client_secret' => 'APP_CLIENT_SECRET'
		'code'          => 'RECEIVED_AUTH_CODE',
		'code_verifier' => 'GENERATED_CODE_VERIFIER',
	]
);

Javascript example (without client secret!):

try
{
    const data = {
        grant_type: 'authorization_code',
        code: 'RECEIVED_AUTH_CODE',
        client_id: 'APP_CLIENT_ID',
        client_secret: '', // leave empty
        redirect_uri: 'APP_REDIRECT_URI',
        code_verifier: 'GENERATED_CODE_VERIFIER'
    };
    const response = await fetch(url, {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json'
        },
        body: JSON.stringify(data)
    );
    console.log(response.json());
} catch (e) {
    console.error(e);
}

You’ve now received an API access token that’s valid for 30 minutes and a refresh token that is valid for 30 days

Example response:
```
{
   "access_token":"string",
   "refresh_token":"string"
}
```

To refreshing your session using the refresh token, perform another POST call and you’ll receive a new access token and refresh token. (A refresh token can only be used once, so be sure to store the new refresh token!)

PHP example (with client secret):

function httpPost($url, $data)
{
    $curl = curl_init($url);
    curl_setopt($curl, CURLOPT_POST, true);
    curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($data));
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    $response = curl_exec($curl);
    curl_close($curl);
    return $response;
}

$response = httpPost(
	'https://login.daisycon.com/oauth/access-token',
	[
		'grant_type'    => 'refresh_token',
		'redirect_uri'  => 'APP_REDIRECT_URI',
		'client_id'     => 'APP_CLIENT_ID',
		'client_secret' => 'APP_CLIENT_SECRET'
		'refresh_token' => 'RECEIVED_REFRESH_TOKEN',
	]
);

Javascript example (without client secret!):

try
{
    const data = {
        grant_type: 'refresh_token',
        refresh_token: 'RECEIVED_REFRESH_TOKEN',
        client_id: 'APP_CLIENT_ID',
        client_secret: '', // leave empty
        redirect_uri: 'APP_REDIRECT_URI'
    };
    const response = await fetch(url, {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json'
        },
        body: JSON.stringify(data)
    );
    console.log(response.json());
} catch (e) {
    console.error(e);
}