Authorization Flow

Get your server authorized to contact nutrition advisor AI

Best Practices

Your api key should never be visible to customers. Your backend service which you are going to enhance with the advisor should be the only server ever requesting a token.

Keep your API Key Safe

It is your responsibility to keep your API key safe.

If you make this request on your client side, they will be able to see your API key in the headers, and abuse it.

Auth Route

Obtain Nutrition Advisor Bearer Token

Using your license key, retreive a token you can use from your backend to call the nutrition advisor API. You must include the customerId returned here in your header as per the auth documentation

POSThttps://api.passiolife.com/v2/token-cache/nutrition-advisor/oauth/licence/:key
Path parameters
key*string

the api or license key you were provided in your product dashboard

Response

OK

Body
access_tokenstring
customer_idstring
expires_innumber
scopestring
token_typestring
Request
const response = await fetch('https://api.passiolife.com/v2/token-cache/nutrition-advisor/oauth/licence/:key', {
    method: 'POST',
    headers: {},
});
const data = await response.json();
Response
{
  "access_token": "text",
  "customer_id": "text",
  "expires_in": 0,
  "scope": "text",
  "token_type": "text"
}

Requesting the Token

In order to obtain your token for the API, you will need to send a request with your API key to our token service.

For example:

https://api.passiolife.com/v2/token-cache/nutrition-advisor/oauth/token/1i5eXnFpiRfiBGgLibonnBg10Ct14nALTAK5Jb6B4V4o

The key values to note in the response are the access_token , customer_id , and the expires_in fields.

{
    "access_token": "eyJhbGciOiJSUzI1NiIs...",
    "expires_in": 86155.034762118,
    "token_type": "Bearer",
    "customer_id": "0d8bb889-36e1-11ee-b9e9-92e504c243a4"
}

Implement Refreshing

The token you receive from our service will have a time-stamp of its expiry. This is the seconds until this token expires from the time you obtained it.

Tokens can refresh before the expiration for various reasons, so token-reloads on 403 responses should be handled in your API if necessary.

Recommended Implementation:

  • Put your license key into your applications env using injection, and ideally a secret manager

  • Create a wrapper, or preflight check when sending requests to Nutrition Advisor such that:

    • If there is no current token, obtain one as documented below

    • Anytime you collect a token, note the time it was gathered. The sum of the timestamp of receiving the response, and the expires_in duration is when your token will expire.

    • Send new requests to refresh token as needed

    • apply the required headers as noted below

Required Headers

All incoming requests require that you have your Passio identifier in the request headers. Your customer id is returned with the token request once your API key has been validated, and can be pulled from the response to apply to your headers.

This is used to track usage and identify leaks. Any requests coming in with no identifier, or an invalid identifier will be rejected.

  • Authorization Header: you must provide your access_token in an authorization header with the prefix Bearer for example: {"Authorization": "Bearer <access_token here>"}

  • Passio Identification Header: you must provide your passio customer_id (either as returned with the token or as seen on your product dashboard) in a Passio-ID header

{
  "Authorization": "Bearer <access_token here>",
  "Passio-ID": "0d8bb889-36e1-11ee-b9e9-92e504c243a4"
}

Continue to API Request Setup to see code examples on making requests to Nutrition Advisor

Last updated