Authentication

There are two forms of authentication within the Cronofy API. Broadly speaking this is split into two categories

  1. Authenticating as a specific user
  2. Authenticating as an application

User Authentication

For endpoints relating to a specific user, such as Read Events, authentication is performed via OAuth 2.0 tokens. As an API client you will be issued with a client_id and a client_secret to be used as specified in RFC 6749 to retrieve access tokens in order to perform actions on behalf of a user

Access Tokens MUST be passed with each API request as a Bearer Authorization header as specified in RFC 6750.

For example:

GET /v1/calendars HTTP/1.1
Host: api.cronofy.com
Authorization: Bearer {ACCESS_TOKEN}

Application Authentication

For endpoints where potentially many users are involved authentication can be performed via the common authorized application. As an API client you will be issued with a client_id and a client_secret to be provided within the body of the request to authenticate your application

For example, Real-Time Scheduling uses this mechanism as the availability of many participants may be considered as part of these calls

Example Request (Partial)

POST /v1/real_time_scheduling HTTP/1.1
Host: api.cronofy.com
Content-Type: application/json; charset=utf-8

{
  "client_id": "{CLIENT_ID}",
  "client_secret": "{CLIENT_SECRET}"
}

Error responses

401 Unauthorized #

The request was refused as the provided authentication credentials were not recognized.

When an OAuth refresh_token is available then it should be used to request a replacement auth_token before the request is retried.

403 Forbidden #

The request was refused as the provided authorization credentials were recognized but do not grant sufficient privileges.

You will need to make an additional authorization request for the scope required for the forbidden request.

Search