Accessing an online API with Client ID and Client secret

Since 15 years our company runs on software I developed on Xojo/RealBasic and since the last month I’m facing a new challenge with stuff that’s totally new to me: accessing an online API to exchange info with a supplier of ours.

I was sent this info (and ofcourse everything is fictional, not the real info):

Client ID: aaaaaa
Client Secret: bbbbbb
API: windowsanddoorsapi
Primary key: pkpkpk
Secundairy key: sksksk

I was given the info of a few API calls I can do:

API 1 (api/v1/customer/)
API 2 (api/v1/order)
API 4 (api/v1/document)
API 5 (api/v1/winprod/{orderNumber})

I have built some simple code to test, but I guess I’m approaching this completely wrong:

var profelkey as string = "pkpkpk"
var profelclientid as string = "aaaaaa"
var profelsecret as string = "bbbbbb"
var temp as string

temp = TextField1.Text+"?key="+profelkey+"&client_id="+profelsecret+"&client_secret="+profelsecret+"&OrderNumber="+ordernummer.Text

TextArea1.Text = URLConnection1.SendSync("GET", temp, 30)

Do you have example code for CURL or php?

Often JSON is used for stuff like this. Currently not at my desk, i cant give you “real” code. But maybe i can give you something to start with?

Var UC As New URLConnection
Var content As String

Var json As New JSONItem
json.Value("profelkey") = "pkpkpk"
json.Value("profelclientid") = "aaaaaa"
json.Value("profelsecret") = "bbbbbb"

UC.SetRequestContent(json.ToString, "application/json")

Var s As String = ""+ordernummer.Text
content = UC.SendSync("GET", s, 10)

Unfortunately not. I did ask for more clarification about which values/labels to use in the JSON file.

I think that is the way to approach this, thanks!

At first, with my “dirty code” I got nothing but a short error or no feedback at all, but after using your code as an example I’m getting: “Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API.” So I’m at least knocking at the correct door, just need to understand how to formulate the correct questions and how to relate my passkey, Client ID and Client Secret.

You need API documentation to answer that, but it sounds like OAuth to me.

I think so too. I need to know what ‘labels’ to use, like “Key” or “Primary_Key” etc.

Belgian supplier?
Do they have any documentation of their API? Is it REST, soap,…?
Did you know that if you use RapidAPI (formerly known as Paw, see you can generate Xojo code from your test calls.
That’s been a big help to us.
Xojo, Inc. · GitHub

You really need API docs. Safer ones don’t even use GET but POST to exchange JSON packets to avoid some simplistic attacks from users playing with browsers and URIs.

That’s a great app for testing, thanks! With it I learned that our (indeed Belgian) supplier uses the Microsoft Azure platform to run their API on. RapidAPI reports a “PASS” but I can’t seem to get past the authentication…

I got this response from the server:

HTTP/1.1 401 Access Denied
Content-Length: 152
Content-Type: application/json
WWW-Authenticate: AzureApiManagementKey realm="",name="Ocp-Apim-Subscription-Key",type="header"
Date: Sat, 09 Dec 2023 12:54:01 GMT
Connection: close

{ "statusCode": 401, "message": "Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API." }

Google’d the WWW-Authenticate header and found this page from Microsoft: Azure API Management Troubleshooting Scenario 3 - Receiving unauthorized errors (401) while invoking APIs - Azure | Microsoft Learn

Googling more after that lead me to more articles about authorization.

REST APIs are an area I am quite skilled if you’re interested in professional help.

1 Like

Best thing would be to contact the supplier and ask if they have documentation.
Looks like they might be using Auth.0 and you have to request a token with your client id and client secret.
The token would then be sent in your actual call.

You would add a Ocp-Apim-Subscription-Key as well I think.

So something like this

// Request (58)

// Set up the socket
Dim mySocket as new URLConnection
mySocket.RequestHeader(“Ocp-Apim-Subscription-Key”) = “pkpkpk”
mySocket.RequestHeader(“Authorization”) = “Bearer tokenreceived”

// Set the URL
dim url as string = “

// Send Synchronous Request
dim s as String = mySocket.SendSync(“GET”, url, 30)

Yes, that’s it!

I also received Client ID and Client Secret from our supplier so I thought I needed that too to get in, but it turns out that I do not need that?

But I’m in now, so I can get on with connecting and retrieving info with the correct calls.

Thanks everybody!!

Ah, crap. I left the standard URL from Paw in the URL field. :roll_eyes: Still no success :face_with_peeking_eye:

You need them for all subsequencial requests. Everything else does not make sense. :slight_smile:

If you get a client ID and a secret, you are on the right track
Perform all subsequent requests in the same way, only replacing authentication with the Client ID and Secret in appropriate parameters and adding your other parameters to the requests.

I don’t get what’s going on here.

An authorized use comes with API docs. Tentative and error seems someone trying to hack something.

Hacking is different… And I have also encountered APIs that are poorly documented or not documented at all. But i don’t think the API documentation is the problem, but rather the practice with URLConnection.
Someone needs help and we are happy to help.

You are thinking wrong. If some endpoint API is “poorly documented” the provider must be contacted to clarify doubts and even enhance docs. And obviously we are here to help.
If the user can give us the right directions, what provider he want to access, we can look for docs.


Looks like he has the contact for the docs/clarifications. So he is on the right direction, just need more support from the API supplier. Matter of time now.

I can understand you’re reaction :sweat_smile:

But really it’s a combination of things: It’s the first time I’m working with accessing a web API like this, so it’s all new to me. I’ve built a simple solution for accessing the Discogs API last year, but that was all quite simple compared to this (just one key and one header to integrate in the call). Not only Xojo’s code to access it is quite new to me, also the terminology used concerning web API’s. That’s also the reason it’s very difficult for me to know what exactly I need to access it and what I’m missing here. Because of my lack of knowledge of web API’s I’m not capable of explaining to the supplier WHAT it is I’m missing here :laughing: And to be completely honest: I guess the one replying to my mails at the suppliers isn’t that capable too, because he keeps sending me the same info (see my first message here) stating “that’s all I need”…

Fiddling along with RapidAPI I found out that I’m probably communicating with a Microsoft Azure server, because I read this in a response: WWW-Authenticate: AzureApiManagementKey realm=“",name=“Ocp-Apim-Subscription-Key”,type="header”.

I think I need to try to find somebody at my suppliers that knows a bit more about this stuff, because I have the feeling I’m close, but I’m missing some essential piece of info here…

I really don’t get why you can’t get info from them on how to use their (supposed open) API. Unless it is closed. If closed, it may be protected in ways you may not guess. Depending on how they handle security, even trying wrong may label your endpoint suspect and you can get a temporary ban. And next attempts may fail for no reason, for hours, until your suspension cease.