User API - Oauth 2.0 flow example with cURL

With OAuth 2.0 we support the following methods for retrieving an access token:

Authorization Code (example below)
Recommended approach for apps running on a web server
Client Credentials
For authorisation with your Consumer Application client_id and secret. This is only suitable if you wish to communicate solely with your own Sharesight account linked to the Consumer Application.


Obtaining an Access Token via grant type "Authorization Code"

The following article describes how to obtain an access token via the Oauth 2.0 Authorization Code grant type. For simplicity its written with cURL.

  1. Redirect the user to the Sharesight website, including your OAuth 2.0 client_id and redirect_uri (the page Sharesight will redirect to after successful authentication).

    You can also include the parameter state to chain together the initial authorise request and the response sent to your Redirect URI.

    The state will then get returned along with the code in step 2 below.

    https://api.sharesight.com/oauth2/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI

    Be aware that the redirect_uri has to match the Redirect URI from your Account > Sharesight API page, as described in Configuring OAuth. And make sure it is URI-escaped (like https:%3A%2F%2Fmy.server.com).

  2. After the user authorises your application, Sharesight will redirect back to your redirect URI, with the authorisation code attached as HTTP parameter, like this

    https://my.server.com?code=8a4ea...36d8
  3. Use this authorisation code to request an access token from Sharesight:

    curl -X POST -F grant_type=authorization_code -F code=8a4ea...36d8 -F redirect_uri=YOUR_REDIRECT_URI -F client_id=YOUR_CLIENT_ID -F client_secret=YOUR_CLIENT_SECRET https://api.sharesight.com/oauth2/token

    Applications marked as 'confidential' have to provide their application secret when trying to retrieve an access token. Applications not marked as 'confidential' don't need to do that (and should not) as they cannot hide their secret in their client application (for example open-source apps). The client_credential grant type must ALWAYS provide the application secret.

    Our API will return a JSON string like this

    {"access_token": "e8b9...8c9f", "token_type": "bearer", "expires_in": 1800, "refresh_token": "5ece...067c", "created_at": 1431483450 }

    where access_token is your The OAuth 2.0 access token, to be used for upcoming API requests. Make sure to also save refresh_token for later usage.


API usage with the access token

Use your access token to create an Authorization Header Authorization: Bearer YOUR_ACCESS_TOKEN and use this header to access the Sharesight API:

curl -H "Authorization: Bearer e8b9...8c9f" https://api.sharesight.com/api/v2/portfolios.json


Refreshing an Access Token

Sharesight access tokens are only valid for 30 minutes. Once expired, you have to refresh the access token using the before-mentioned refresh_token

curl -X POST -F grant_type=refresh_token -F client_id=YOUR_CLIENT_ID -F client_secret=YOUR_CLIENT_SECRET -F refresh_token=YOUR_REFRESH_TOKEN https://api.sharesight.com/oauth2/token
which will return a new access token:

{"access_token": "0841...0e99", "token_type": "bearer", "expires_in": 1800, "refresh_token": "04f0...b41a", "created_at": 1431396211 }