Since 15 years our company runs on software I developed on Xojo/RealBasic and since the last month I’m facing a new challenge with stuff that’s totally new to me: accessing an online API to exchange info with a supplier of ours.
I was sent this info (and ofcourse everything is fictional, not the real info):
API 1 (api/v1/customer/)
API 2 (api/v1/order)
API 4 (api/v1/document)
API 5 (api/v1/winprod/{orderNumber})
I have built some simple code to test, but I guess I’m approaching this completely wrong:
var profelkey as string = "pkpkpk"
var profelclientid as string = "aaaaaa"
var profelsecret as string = "bbbbbb"
var temp as string
temp = TextField1.Text+"?key="+profelkey+"&client_id="+profelsecret+"&client_secret="+profelsecret+"&OrderNumber="+ordernummer.Text
TextArea1.Text = URLConnection1.SendSync("GET", temp, 30)
Often JSON is used for stuff like this. Currently not at my desk, i cant give you “real” code. But maybe i can give you something to start with?
Var UC As New URLConnection
Var content As String
Var json As New JSONItem
json.Value("profelkey") = "pkpkpk"
json.Value("profelclientid") = "aaaaaa"
json.Value("profelsecret") = "bbbbbb"
UC.SetRequestContent(json.ToString, "application/json")
Var s As String = "https://api.test.com/api/v1/customer/?OrderNumber="+ordernummer.Text
content = UC.SendSync("GET", s, 10)
Unfortunately not. I did ask for more clarification about which values/labels to use in the JSON file.
I think that is the way to approach this, thanks!
At first, with my “dirty code” I got nothing but a short error or no feedback at all, but after using your code as an example I’m getting: “Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API.” So I’m at least knocking at the correct door, just need to understand how to formulate the correct questions and how to relate my passkey, Client ID and Client Secret.
Belgian supplier?
Do they have any documentation of their API? Is it REST, soap,…?
Did you know that if you use RapidAPI (formerly known as Paw, see https://paw.cloud/) you can generate Xojo code from your test calls.
That’s been a big help to us. Xojo, Inc. · GitHub
You really need API docs. Safer ones don’t even use GET but POST to exchange JSON packets to avoid some simplistic attacks from users playing with browsers and URIs.
That’s a great app for testing, thanks! With it I learned that our (indeed Belgian) supplier uses the Microsoft Azure platform to run their API on. RapidAPI reports a “PASS” but I can’t seem to get past the authentication…
I got this response from the server:
HTTP/1.1 401 Access Denied
Content-Length: 152
Content-Type: application/json
WWW-Authenticate: AzureApiManagementKey realm="https://api.supplier.be/wd",name="Ocp-Apim-Subscription-Key",type="header"
Date: Sat, 09 Dec 2023 12:54:01 GMT
Connection: close
{ "statusCode": 401, "message": "Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API." }
Best thing would be to contact the supplier and ask if they have documentation.
Looks like they might be using Auth.0 and you have to request a token with your client id and client secret.
The token would then be sent in your actual call.
You would add a Ocp-Apim-Subscription-Key as well I think.
So something like this
// Request (58)
// Set up the socket
Dim mySocket as new URLConnection
mySocket.RequestHeader(“Ocp-Apim-Subscription-Key”) = “pkpkpk”
mySocket.RequestHeader(“Authorization”) = “Bearer tokenreceived”
If you get a client ID and a secret, you are on the right track
Perform all subsequent requests in the same way, only replacing authentication with the Client ID and Secret in appropriate parameters and adding your other parameters to the requests.
Hacking is different… And I have also encountered APIs that are poorly documented or not documented at all. But i don’t think the API documentation is the problem, but rather the practice with URLConnection.
Someone needs help and we are happy to help.
You are thinking wrong. If some endpoint API is “poorly documented” the provider must be contacted to clarify doubts and even enhance docs. And obviously we are here to help.
If the user can give us the right directions, what provider he want to access, we can look for docs.
Edit:
Looks like he has the contact for the docs/clarifications. So he is on the right direction, just need more support from the API supplier. Matter of time now.
But really it’s a combination of things: It’s the first time I’m working with accessing a web API like this, so it’s all new to me. I’ve built a simple solution for accessing the Discogs API last year, but that was all quite simple compared to this (just one key and one header to integrate in the call). Not only Xojo’s code to access it is quite new to me, also the terminology used concerning web API’s. That’s also the reason it’s very difficult for me to know what exactly I need to access it and what I’m missing here. Because of my lack of knowledge of web API’s I’m not capable of explaining to the supplier WHAT it is I’m missing here And to be completely honest: I guess the one replying to my mails at the suppliers isn’t that capable too, because he keeps sending me the same info (see my first message here) stating “that’s all I need”…
I think I need to try to find somebody at my suppliers that knows a bit more about this stuff, because I have the feeling I’m close, but I’m missing some essential piece of info here…
I really don’t get why you can’t get info from them on how to use their (supposed open) API. Unless it is closed. If closed, it may be protected in ways you may not guess. Depending on how they handle security, even trying wrong may label your endpoint suspect and you can get a temporary ban. And next attempts may fail for no reason, for hours, until your suspension cease.
Still no success 
And to be completely honest: I guess the one replying to my mails at the suppliers isn’t that capable too, because he keeps sending me the same info (see my first message here) stating “that’s all I need”…