Authenticating with the AWeber API


OAuth - What is it?

The AWeber API uses the OAuth 1.0 model to handle authentication. OAuth is a standardized way for services to grant permission on a user's behalf to another application, without exposing their credentials (ie - username and password).

Each request made by your application also includes a request signature, which will require 7 mandatory parameters:

Setting up your AWeber Developer Account

In order to write an application that interfaces with the AWeber API, you must first create a free developer account, and then create an application.

Once you've created your application, you'll be provided your app's consumer key and consumer secret. Do not ever share or distribute your application's key and secret! If you plan on releasing an application that is distributed, such as a desktop, mobile, or open source app, please follow the section on Authenticating your distributed app.

Your application overview will contain
      your app's key and secret.

Application overview - containing the consumer key and consumer secret

Authenticating Private Apps with the AWeber API

Step 1: Getting a request token

  Request:
   - Method: POST
   - URL: https://auth.aweber.com/1.0/oauth/request_token
   - DATA:
  (
      [oauth_callback] => http://localhost/demo.php
      [oauth_consumer_key] => XXXXXXXXXXXXXX
      [oauth_nonce] => 510a6d6f0e4fb70b72096ce48cb22af8
      [oauth_signature] => uvNa27v1uyVES37VfsX2Tj1OUYU=
      [oauth_signature_method] => HMAC-SHA1
      [oauth_timestamp] => 1285168264
      [oauth_token] =>
      [oauth_version] => 1.0
  )
  Response:
  oauth_token_secret=zmcok2DAYjZNbZhy8IF1TQmxEWclbNlYB4SDkkEt&oauth_token=AA2rIlm2rESxb1OpLTW3zzsDUbDGfMcF4vLji1z2&oauth_callback_confirmed=true
  

Step 2. Authorizing your request token.

In order to pair the oauth_token with an AWeber account, redirect the user to AWeber's authorization page:

  https://auth.aweber.com/1.0/oauth/authorize?oauth_token=AA2rIlm2rESxb1OpLTW3zzsDUbDGfMcF4vLji1z2
  

The user will be prompted to login to their account, binding the oauth_token information that you have with their AWeber account.

Users will see a dialog box asking for their permission to let your app access their data.

  http://localhost/demo.php?oauth_verifier=041zfu&oauth_token=AA2rIlm2rESxb1OpLTW3zzsDUbDGfMcF4vLji1z2
  

Step 3. Getting an Access Token

Next, trade the request token and verifier for an access token, which can be used to access customer data.

  Request: 
   - Method: POST
   - URL: https://auth.aweber.com/1.0/oauth/access_token
   - Data:
  (
      [oauth_consumer_key] => vjckuVc3sNrZWOa3PWnf
      [oauth_nonce] => 3408f7e0d712d31ae5c2ca65339931ac
      [oauth_signature] => 8SwKhqo8zi+o4rCA7IXZqnW1HI4=
      [oauth_signature_method] => HMAC-SHA1
      [oauth_timestamp] => 1285169995
      [oauth_token] => AA2rIlm2rESxb1OpLTW3zzsDUbDGfMcF4vLji1z2
      [oauth_verifier] => 041zfu
      [oauth_version] => 1.0
  )
  Response:
  oauth_token_secret=868zh4rxwewhj3tLkVVJYD7KHgFHILDgEaiW9p9F&oauth_token=JiNgFSkkwNSsxRXqefzSg6mIyQY7quoKyKozK1of
  

At this point, the oauth_token and oauth_token_secret that were generated in Step 1 as the request token have expired, and can not be used again.

Authenticating Public Apps with the AWeber API

As we said earlier, you should never distribute your application's key / secret. This provides a means for other people to spoof your application and gain access to customer data under false pretenses, and may come back to damage the reputation of your application. Don't do it, ever. Even including it in compiled code, such as a desktop or mobile application, can pose as a security risk, as there are several tools available for people to extract data from these formats.

Instead, use the application's unique App ID, which is an 8-digit hexadecimal number representing your application and is available on the My Apps Page

Step 1. Authorizing an AWeber account using the App Id.

In order to generate request tokens, paired to an AWeber account, redirect your users to a special URL containing your App ID:

  https://auth.aweber.com/1.0/oauth/authorize_app/bec40eec
  

The user will be prompted to login to their account, generating new request tokens, binding these with their AWeber account.

Users will see a dialog box asking for their permission to let your app
access their data.

Upon login, your users will be provided with a unique authorization code. Your application will need to provide a way for your users to input this into your application. The authorization code is an application key, application secret, request token, token secret, and oauth_verifier, delimited by pipes (|).

  Azdar73wQsyv9YLg0f4Cybcd|ZIxNMDea7gfboFxwfZzrKUDd1ODLb43z5fitxrfg|AqsdXmrNwzPw8SPQck1a87fy|iGPpoUyTFD3Qx68dHjubzQkDRc079hmeLUtYmoDC|1p6e7r|
  

Your application can simply split this data and use it to get an access token, just as if the beginning of this process was done in the same manner. The main difference being that the application key and secret that is gained through this method is unique to just this one user and their AWeber account, so distribution of these keys does not put any of your other user's privacy at risk.

Step 2. Getting an Access Token

Next, trade the application key, request token and verifier for an access token, which can be used to access customer data.

  Request: 
   - Method: POST
   - URL: https://auth.aweber.com/1.0/oauth/access_token
   - Data:
  (
      [oauth_consumer_key] => Azdar73wQsyv9YLg0f4Cybcd
      [oauth_nonce] => 3408f7e0d712d31ae5c2ca65339931ac
      [oauth_signature] => 8SwKhqo8zi+o4rCA7IXZqnW1HI4=
      [oauth_signature_method] => HMAC-SHA1
      [oauth_timestamp] => 1285169995
      [oauth_token] => AqsdXmrNwzPw8SPQck1a87fy
      [oauth_verifier] => 1p6e7r
      [oauth_version] => 1.0
  )
  Response:
  oauth_token_secret=868zh4rxwewhj3tLkVVJYD7KHgFHILDgEaiW9p9F&oauth_token=JiNgFSkkwNSsxRXqefzSg6mIyQY7quoKyKozK1of
  

At this point, the oauth_token and oauth_token_secret that were generated in Step 1 as the request token have expired, and can not be used again.

Requesting data from the API

Requests to the API can be made using the correct tokens to access specific customer information.

  Request:
   - Method: GET
   - URL: https://api.aweber.com/1.0/accounts/1/lists/500000000/campaigns
   - Data:
  (
      [oauth_consumer_key] => vjckuVc3sNrZWOa3PWnf
      [oauth_nonce] => b465754c71a20d224ca27a7e0775c907
      [oauth_signature] => naHyLYWmDjJy6c90UWx4r4xEl64=
      [oauth_signature_method] => HMAC-SHA1
      [oauth_timestamp] => 1285170570
      [oauth_token] => JiNgFSkkwNSsxRXqefzSg6mIyQY7quoKyKozK1of
      [oauth_version] => 1.0
  )
  Response:
  {"total_size": 0, "start": 0, "entries": [], "resource_type_link" : "https://api.aweber.com/1.0/#campaign-page-resource"}