A secret facilitates an Bearer token authentication method (i.e. OAuth2) that is consumed in builtin web-hooks and with application connectors such as Salesforce.

While Secrets for application connectors are created automatically, secrets for Web-hooks are required to be created manually. This is a guide for manually creating and testing your secret integration.

OAuth2 Conventions

With Cellosign Secrets are managed in two standard conventions that are slightly defer in implementation.

• Username/password [General username and password]
• Client ID/Client secret [Microsoft Graph Rest API]

General username and password

Request example

With the example above this is how the request from Cellosign looks like

{
	"username": "Myusername",
	"password": "Mypassword",
	"grant_type": "password",
	"scope": "('read,write',)"
}

Expected response

Cellosign expects at least two parameters in response:

{
	"expires_in": 300,
	"access_token": "BULvsea4JtiGRiSDSJSI%3DEUifiRBkKG5E2XzMDjRfl76ZC9Ub0wnz4XsNiRVBChTYbJcE3F"
}

• “access_token” that will be used in web hook request header for Authorization
• “expires_in” is a lapse time, in seconds, that the access token can be used before it is expired

Microsoft Graph Rest API

Request example

{
	"client_id": "8e17edb9-0f05-46cc-8741-a937e351e631",
	"client_secret": "Mysecret",
	"scope": "read,write",
	"grant_type": "password"
}

Expected response

Cellosign expects at least two parameters in response:

{
	"expires_in": 300,
	"access_token": "BULvsea4JtiGRiSDSJSI%3DEUifiRBkKG5E2XzMDjRfl76ZC9Ub0wnz4XsNiRVBChTYbJcE3F"
}

• “access_token” that will be used in web hook request header for Authorization
• “expires_in” is a lapse time, in seconds, that the access token can be used before it is expired

Notes and gotchas

1. Note the difference in SCOPE parameter value between the two methods.
2. Cellosign will use token until the time of expiration provided for token request. When token is expired, Cellosign will initiate a request for a new token.