The bexio API supports the authorization framework OAuth 2.0. External applications can apply for access to an account without having to know the login credentials.
In order to use the OAuth interface, a client ID and a client secret is required. If you do not have either a client ID or a client secret, you can request access here.
You need to execute the following five steps to create an API request:
API DocsGET https://office.bexio.com/oauth/authorizeParameter
The User needs to login.
Once the user is logged in, he can check the requested scopes. The user is able to remove scopes if he does not want to share the information. Please consider this in your implementation.
If the user confirms the authorization request, he will be redirected back to the previously defined redirect_uri.
bexio will add the GET parameter code to this redirect_uri. This code is only valid for a few seconds and can be used to request an access token (see step 3).
You can request an access token by using the code you have received during step 2.
POST https://office.bexio.com/oauth/access_tokenParameter
Once you have requested the access token you will receive the following JSON response from bexio
{
"access_token": "da96469ea968dd7489d5e395d07578b94c45c732",
"expires_in": 14400,
"token_type": "bearer",
"scope": "contact_show general",
"refresh_token": "6af54fda928c6d21902393f0ea246c2a91ce08b8$aI0qlqicUsnk+LnUZ84m486QdN1t2eCZRlsaTlDsCFI=",
"org": "mycompany",
"user_id": 1
}The access token is valid for a limited time. The lifetime of the token can be learned from the value of expires_in.
In this case, the access token is valid for 14400 seconds -> 4 hours. The value refresh_token (valid for 2 weeks) can be used to request a new access token.
The field org represents the company identifier and must be used for every request. The field user_id is the user ID of the authorized user.
Any request has the following structure:
base url + resource
The base url is https://office.bexio.com/api2.php/%org%. Please note that %org% is a placeholder for the company identifier you have received in step 4.
This would result in the following url to fetch a list of all taxes:
GET https://office.bexio.com/api2.php/mycompany/taxThe access token you have received in step 4 must be used in the Header Authorization. Please use the header like this: Authorization: Bearer %access_token%.
In addition you must add an Accept header to the call. This results in the following headers:
Accept: application/json
Authorization: Bearer da96469ea968dd7489d5e395d07578b94c45c732If the access token has expired, a new access token can be acquired by using the refresh token.
POST https://office.bexio.com/oauth/refresh_tokenParameter
Response
You will receive the same response as in step 4. Please note that the values access_token and refresh_token are different.
Once you have requested a new access token, the old refresh token will no longer be valid.
{
"access_token": "c0d8b09a3d6867d31cbba64a3d5574a69eda9238",
"expires_in": 14400,
"token_type": "bearer",
"scope": "contact_show general",
"refresh_token": "461690a37d06d0b994b008805ac1df025bbe72d8$aI0qlqicUsnk+LnUZ84m486QdN1t2eCZRlsaTlDsCFI=",
"org": "mycompany",
"user_id": 1
}