ESI auth without browser login

trying to transition my xml api based code to the new ESI.
my backend process is pulling data from the xml api in regular intervals. that currently is as simple as generating an api key and then fetching data with that key:

as far as i get it, the new oauth system requires human interaction through a browser (enter user/pass on the SSO page, select char and grant access to the scopes) to get an auth key. correct?

so how do i handle this in a non-gui, non-browser backend process?

1 Like

The user is required to login to the SSO page once to generate a Code that you then use to request the access_token and refresh_token.

The access_token is good for 1200 seconds, once that expires you request a new one with the refresh_token.

So once you have those tokens you can in the background make continual requests to the endpoints that you had the user authenticate for on the SSO page. Rather then them creating an API and giving it to you, now you send them somewhere to generate codes that you use to Auth with on the ESI endpoints instead of an api key.

1 Like

alright, got you so far - thanks. but the first part is still unclear.

“The user is required to login to the SSO page once”

for the sake of argument, my code is on a headless server somewhere in an aws farm. no gui, no browser. i can’t redirect and have someone enter stuff in some webpage.

i want to generate those two tokens somehow manually and give them to my program e.g. via config file. is there any web interface that i didn’t see yet to do that?

First step is you need to create your app here and register which Scopes your app requires.

Now for SSO with non web-based apps look over

Essentially you do need a place to have where they click a button, link or something that redirects them to the SSO page with the scopes need, callback and such.

As you seem not to have GUI / webapps, the easier is to get the token yourself manually, then save it in a config file.
You can use steves blog article to do it (without doing the google sheet part) for example: but this will only work for you.

But still, keep in mind that you should never give your secret key, else you comprise yourself and your apps. So you can’t give them to users for them to do that stuff.

You can also give them the auth URL only, your users will need to give you back the code from the redirect, which you can use (whatever way you want) to generate the tokens.

1 Like

perfect, thanks to both of you. thats all the info i need. it made me understand that i can construct everything manually this way:

run the url in browser of choice scopes you need

logon, get redirected to my dummy url, manually grab the “code” part from that url, paste it in my sourcecode and extract both tokens programmatically via webcall.
already tested, works. thanks again, i’m off coding :wink:


This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.