Connect API - Authentication Flow

Portfolio Authorisation

Access to a user's portfolio involves a series of steps. Note that much of the complexity can be taken care of by using an appropriate OAuth library.

The OAuth request cycle is roughly:

  1. Retrieve a request token
  2. Request user authorization by sending the user to a Sharesight login page via the Authorize URL
  3. Exchange the request token for an access token

The diagram and description below illustrates the OAuth Authentication flow:

A Partner Organisation requests Request Token

This requests happens out of band (ie: is not visible to the client).

The request includes:

  • oauth_consumer_key
  • oauth_signature_method (HMAC-SHA1)
  • oauth_signature
  • oauth_timestamp
  • oauth_nonce
  • oauth_version (optional)
  • oauth_callback (optional)

B Sharesight grants Request Token

This request happens out of band (ie: is not visible to the client).

The response includes:

  • oauth_token
  • oauth_token_secret
  • oauth_callback_confirmed

C Partner Organisation directs User to Sharesight

The request includes:

  • oauth_token
  • user details (optional)

You can optionally send through some additional information about your user. This will allow Sharesight to detect if the user has a current account. It will also reduce the need for re­keying data that has already been entered.

To enable this functionality, you should append the following parameters to the authorize URL. The currently supported parameters are:

Name Details Example
first_name The user's first name John
last_name The user's last name Smith
portfolio_name The name of the user's portfolio, or proposed portfolio Smith Family Trust
email The user's primary email address john.smith@example.com
country_code Two digit code for the domiciled country of the user, or their tax entity (eg: family trust) AU

All of these parameters are optional.

An example URL including these parameters is

https://api.sharesight.com/oauth/authorize?oauth_token=R2DiQMk1Est5d5nWp7Xa&email=john.smith@example.com&portfolio_name=Smith%20Family%20Trust&first_name=John&last_name=Smith&country_code=AU

Note: Please remember to escape your URL parameters Sharesight Connect Developer Documentation

The client will be presented with the Sharesight login / register page where they can log into their account (existing Sharesight customers) or create a new account. Upon logging in / registering they will be presented with a prompt asking them to grant you access to their portfolio.

D Sharesight directs User back to Partner Organisation

The user will then be redirected back to your site (this redirect may be customised by using the callback URL).

The response includes:

  • oauth_token
  • oauth_verifier

E Partner Organisation requests Access Token

This request happens out of band (ie: is not visible to the client).

The request includes:

  • oauth_consumer_key
  • oauth_token
  • oauth_signature_method (HMAC-SHA1)
  • oauth_signature
  • oauth_timestamp
  • oauth_nonce
  • oauth_version (optional)
  • oauth_verifier

F Sharesight grants Access Token

This request happens out of band (ie: is not visible to the client).

A long term access token is returned. This token will not expire and must be stored securely in order to provide ongoing access to the portfolio.

The response includes:

  • oauth_token
  • oauth_token_secret

G Partner Organisation accesses User's Sharesight Portfolio

This request happens out of band (ie: is not visible to the client).

The request includes:

  • oauth_consumer_key
  • oauth_token
  • oauth_signature_method (HMAC-SHA1)
  • oauth_signature
  • oauth_timestamp
  • oauth_nonce
  • oauth_version (optional)