OAuth2 access token vs API key

883 views
Skip to first unread message

likun liu

unread,
Aug 15, 2013, 2:38:27 AM8/15/13
to mailchimp-...@googlegroups.com
Hi, 

It seems all the MailChimp APIs require a API key. In OAuth2 case, if I've been granted an access token by the account owner through OAuth2 process, how do I make API requests using the access token to that account without the API key from that account? Is there anyway to query the API key of that account via OAuth access token? If I don't have the API key for that account, the access token seems useless, did I miss something?

Thanks and regards,
Likun 

jesse

unread,
Aug 15, 2013, 6:42:39 AM8/15/13
to mailchimp-...@googlegroups.com
Yes, you missed the parts of the docs that specifically say the token is the api key.
http://apidocs.mailchimp.com/oauth2/


jesse

likun liu

unread,
Aug 15, 2013, 9:53:02 PM8/15/13
to mailchimp-...@googlegroups.com
Thanks!

likun liu

unread,
Aug 19, 2013, 9:47:06 PM8/19/13
to mailchimp-...@googlegroups.com
Hi Jesse,

I'm wondering if it is a good idea to make the API key in the request payload optional if the OAuth access token is already passed through the Authorization header. In this case the API key is duplicate information and it's making it difficult to develop a new App.

Thanks,
Likun


On Thursday, August 15, 2013 8:42:39 PM UTC+10, jesse wrote:

jesse

unread,
Aug 20, 2013, 2:07:00 PM8/20/13
to mailchimp-...@googlegroups.com
It's hard to see that making a difference unless you've also skipped over the part directly after what I pointed you at that says "After retrieving that, you won't need to use (and currently can't) an OAuth2 client to make Standard API calls."

http://apidocs.mailchimp.com/oauth2/


jesse

likun liu

unread,
Aug 20, 2013, 9:56:50 PM8/20/13
to mailchimp-...@googlegroups.com
Hi Jesse,

I'm working on a javascript App for MailChimp, but the OAuth is done on our server side, and the token is saved on the server, and we don't want to pass the token to the page for security reasons. So when I make an ajax call to MailChimp, our server will add the token to the 'Authorization' header, that's not hard. But now we have to also manipulate the payload data to add the API key, that's kind of messy. If we can leave the payload untouched, that'll be ideal. What do you think?

Thanks,

Likun

jesse

unread,
Aug 21, 2013, 5:50:14 AM8/21/13
to mailchimp-...@googlegroups.com
Don't attempt to develop client-side javascript apps that attempt to access our API. Any client-side javascript should go through your server to access the API.


jesse

likun liu

unread,
Aug 21, 2013, 7:37:27 PM8/21/13
to mailchimp-...@googlegroups.com
Hi Jesse,

It's our server who accesses the MailChimp API, but the request is originated from the client side. Our server is also making requests to other OAuth servers. My pain point is our server normally just populates the 'Authorization' header with OAuth token for other OAuth servers when making API calls, but for MailChimp, we have to deal with the payload to populate the API key as well. If we don't have to deal with the payload, it'll be much cleaner.

Thanks,
Likun
Reply all
Reply to author
Forward
0 new messages