Sign in to participate
Be Kind, Be Helpful
Ask a question, answer a question, and get to know the fine people in the Harvest community.
API authorisation
At the moment, the only way to interact with the API is to send a Harvest account e-mail address and password with HTTP Basic. We do have the option to use SSL though, so this information is protected.
But this means if I want to let anyone else use the system I have written that interacts with the API, they either have to expose their Harvest login credintials to me / my system, or I have to give them the code to run on their own server (which isn’t ideal, as not everyone is a developer and it would be difficult to be debug).
I’m not sure what the solution would be – API keys may not be sufficient (given that the API lets us write data too – which is good!). Perhaps a combination of API keys (which can be revoked) and permissions for what can be read and written with each API key.
This is a generic authentication problem, we don’t have a solution for it but managing a key based setup is bound to be troublesome. Perhaps OAuth? We don’t have a schedule for this I’m afraid.
+1 for OAuth as well.
In lieu of OAuth, would it be possible for a Harvest customer to create a new, read-only set of credentials that couldn’t edit any data, but could read it? It’s obviously more cumbersome than OAuth but could be a lot quicker for you guys to implement.
That user story would end up something like:
1. User goes to Harvest and creates a new username & password with read-only permissions
2. User goes to a 3rd-party site and gives it the new username & password
3. If the user ever changes her mind, she can revoke those credentials in Harvest and the 3rd-party application is locked out from then on.
@fhwang Wanted to let you know this thread has been a hot topic of discussion with our dev team. We are going to discuss our options next week. We’ll start thinking about the best way forward for Harvest’s API.
Thanks for the great feedback!
+1 I just wanted to bring this up again, its been almost a year and something I am building will require this.
It’s definitely at the forefront for us. One of our developers has put in a bunch of time on this lately, hopefully we’ll have something to announce soon!
Howdy OAuth users! We’re happy to announce OAuth 2.0 support is in beta. Check out the details on our blog: http://www.getharvest.com/blog/2011/10/oauth-2-...
This is a beta period, so your feedback is extra important. Best,
-Matthew