User Authentication


Request Details

Item Value
Description In order to login a user to your loyalty program, the “auth-sign-in” endpoint can be used.
This endpoint will return:
  1. A URL to redirect the end user to
  2. Cookies will be set in the urlofprogram.com domain and the user will be redirected to a second URL
  3. Cookies will be set in the crowdtwist.com domain and the user will be redirected to the final URL
Method POST
Endpoint https://[url_of_program]/http/v2/auth-sign-in?api_sig=[api signature]


Request

Field Name Sample Value Required Format Notes
URL PARAMETERS
url_of_program rewards.crowdtwist.com Yes String URL of your CrowdTwist rewards account.
QUERY STRING PARAMETERS
api_sig 3c7aadd03c7134a0e91b9e7271dc8124 Yes String Computed API signature for request.


Request Body

Field Name Sample Value Required Format Notes
username alicect Yes String username of user to verify
password test123 No String Password of user for CrowdTwist hosted registration.
verified 1 No Integer If user has already been authenticated (client hosted registration), this will bypass the password requirement.
redirect     String URL that you must redirect the end user to in order to complete the authentication process. This URL will set cookies in the end user’s browser, and ultimately redirect the end user to the URL provided in the “redirect” parameter given on the response.
facebook_user_id   No Numeric String User’s Facebook user ID value; can be passed on this API request for the purpose of refreshing the user’s Facebook access token.
NOTE: if any of the Facebook values are provided, all three will be required.
facebook_access_token   No String User’s Facebook access token value; can be passed on this API request for the purpose of refreshing the user’s Facebook access token.
NOTE: if any of the Facebook values are provided, all three will be required.
date_fb_token_expires 1380646979 No Interger Unix timestamp of when the user’s Facebook access token will expire; can be passed on this API request for the purpose of refreshing the user’s Facebook access token.
NOTE: if any of the Facebook values are provided, all three will be required.


Assembling the API Signature
Step One: Sort the key value array by keys
Step Two: For each parameter, assemble the key-value pair in this format “key=value”
Step Three: Concatenate the assembled strings with a ‘&’ delimiter
Step Four: Append your v2 API key value to the end of the concatenated string
Step Five: Hash the result using an MD5 algorithm

Example:
   redirect: http://www.crowdtwist.com/
   username: 123
   password: abc or verified: 1
Step One: ‘username’=’123’, ‘password’=’abc’, ‘redirect’=’http://www.crowdtwist.com’
Step Two: password=abc, redirect=http://www.crowdtwist.com, username=123
Step Three: password=abc&redirect=http://www.crowdtwist.com&username=123
Step Four: password=abc&redirect=http://www.crowdtwist.com&username=123QWERTYUIOP
Step Five: 2a3bf00c299d463b54d98dc9d6cd23c7
    In step four above, the v2 API key of “QWERTYUIOP” has been appended to the string to be hashed.

Making the HTTP request
Finally, you must perform an HTTP POST with the parameters. This would result in an HTTP POST of:

HTTP POST: https://[url_of_program]/http/v2/auth-sign-in?api_sig=2a3bf00c299d463b54d98dc9d6cd23c7
POST Parameters: password=abc&redirect=http://www.crowdtwist.com&username=123
HTTP POST: https://[url_of_program]/http/v2/auth-sign-in?api_sig=2a3bf00c299d463b54d98dc9d6cd23c7
POST Parameters: password=abc&redirect=http://www.crowdtwist.com&username=123

Successful Response

{
  "redirect_url": "https://[url_of_program]/auth-login/1144589e25e5c7326c2a9dfdf4cb2bbf021b7f5b814c2dd7-3a3225f1f794b1cafa81d603f8dccdcb16968514?r=http%3A%2F%2Fwww.crowdtwist.com%3Ftimestamp%3D1481830950%26user_id%3D48073794%26username%3Ddrosen%26verified%3D1%26sig%3Dd48156b8a33d40e17cdbf75a79148e54",
  "verified": "verified",
  "user_id": "48073794"
}
{
  "redirect_url": "https://[url_of_program]/auth-login/1144589e25e5c7326c2a9dfdf4cb2bbf021b7f5b814c2dd7-3a3225f1f794b1cafa81d603f8dccdcb16968514?r=http%3A%2F%2Fwww.crowdtwist.com%3Ftimestamp%3D1481830950%26user_id%3D48073794%26username%3Ddrosen%26verified%3D1%26sig%3Dd48156b8a33d40e17cdbf75a79148e54",
  "verified": "verified",
  "user_id": "48073794"
}

You should extract this URL from the response headers, and deliver the end user to it. The user will proceed to have all of their CrowdTwist cookies expired, and they will be delivered to the “redirect” URL once the process is complete. Upon an invalid request, an HTTP 400 Bad Request with response body will be returned indicating an error.

Sample Error Response: Invalid API Signature

{
  "error": "error",
  "message": "invalid api_sig"
}
{
	"error": "error",
	"message": "invalid api_sig"
}

Sample Error Response: Query String Parameters Not Provided

{
  "error": "error",
  "message": "no parameters provided"
}
{
	"error": "error",
	"message": "no parameters provided"
}

Sample Error Response: API Signature Not Provided

{
  "error": "error",
  "message": "api_sig parameter was not provided"
}
{
	"error": "error",
	"message": "api_sig parameter was not provided"
}