Refreshing tokens with VideoAsk API

The VideoAsk API should be used always within an authentication token.

An easy way to play around is with your temporary authentication token by logging into https://app.videoask.com/app and navigating to your Account > API section.

When you are ready to go on PROD environments you should proceed with the proper authentication flow, so in the following part I will describe an example about how you could obtain a proper access token and refresh it programatically.

Obtain API Prod Credentials

First of all we should get proper API credentials for prod environments, this is described in this article, you will end with an app created as it showed in the following screen:

After you complete those steps you will end up with Client ID and Client Secret

Refresh Token

The temporary token that exists on the VideoAsk profile only lives 15 minutes, so we should obtain another type of token that allow us to "refresh it" when gets expired.

Under Using production API credentials section in the VideoAsk API Doc it explains how to proceed with the authentication flow and do that programatically, but in the following steps I will explain how to do it using an example App that the VideoAsk team created to help with this flow.

Setting up the auth app

We are going to use glitch.com using an example auth app that will looks like:

After you sign up on the glitch site you should remix this app and follow the next steps:

1. Rename the new glitch app to videoask-<name of your app>
2. Copy the Client ID and Client Secret to the .env file in the new glitch app
3. Copy the live app url to the APP_URL env var (eg https://videoask-<name of your app>.glitch.me)
4. Set the SCOPES env var as openid,profile,email,offline_access
5. Set EXPRESS_SESSION env var to a unique random string. You can use random.org to generate it.
6. Add the glitch app url to the Allowed Callback URLs in your Developer Application setttings in VideoAsk app (eg: https://videoask-<name of your app>.glitch.me/auth/videoask/callback and save the application
7. Click on "Show" and then click on the "Login on VideoAsk" link with the user you want to be the one that act in behalf of your app. Make sure you get redirected to a page that looks something like this:

Access Token & Refresh Token

In the previous step we end up with 2 types of tokens access_token and refresh_token.

access_token: this token is the one we could use to call the API directly, and has an expiration time of 24 hours.

A simple python example:

import requests

ACCESS_TOKEN = "<Access Token>"

response = requests.get(
    "https://api.videoask.com/forms",
    headers={"Authorization": f"Bearer {ACCESS_TOKEN}"},
)

# Get the forms from the response
forms = response.json()['results']

refresh_token: As I mentioned before, the access_token will expires after 24 hours so we should refresh it to obtain a new valid one, here is when the refresh_token appears.

An explanation about how to use this token is in the API doc under Refresh your application's tokens but I will show an example of a simple app using python:

import requests
from http import HTTPStatus

CLIENT_ID = "<Client ID>"
CLIENT_SECRET = "<Client Secret>"

ACCESS_TOKEN = "<Access Token>"
REFRESH_TOKEN = "<Refresh Token"


def call_form_apis(access_token):
    return requests.get(
        "https://api.videoask.com/forms",
        headers={"Authorization": f"Bearer {access_token}"},
    )


def get_new_access_token():
    response = requests.post(
        "https://auth.videoask.com/oauth/token",
        json={
            "grant_type": "refresh_token",
            "refresh_token": REFRESH_TOKEN,
            "client_id": CLIENT_ID,
            "client_secret": CLIENT_SECRET,
        },
    )

    return response["access_token"]


response = call_form_apis(ACCESS_TOKEN)

# When the token is expired the VideoAsk API will throw a 401 with the message:
# { "detail": "Token has expired." }
if response.status_code == HTTPStatus.UNAUTHORIZED:
    new_access_token = get_new_access_token()

    response = call_form_apis(new_access_token)

    if response.status_code == HTTPStatus.OK:

        forms = response.json()["results"]

Final Thoughts

• This is a simple example, ideally you should store the generated access token in a place you could re-use it meanwhile is valid so you are not re-refreshing a token each time. Redis is a good candidate storing the value with a TTL of 24 hours.

• Regarding permissions in this example our custom app will be using the token generated by the user that did the login on the glitch app. As a practical advise sometimes is good to have a new user on your organization that have permissions to certain folders so you will limit the usage of it (and of course you will use this user to get the first access/refresh token)