We can pass a temporary token into the iframe url, with this token you can identify the user signed in to our system.
You need to validate this temperary token against our Dacom system to gain the actual access token.

Steps to retrieve user access token

1. Add the {{TEMP_TOKEN}} key to your croplet url in your croplet settings.
   e.g.:

   https://mydomain.com/?temp_token={{TEMP_TOKEN}}

   When a user requests your croplet application the {{TEMP_TOKEN}} key will be replaced with a temporary generated token. This temporary token is valid for maximum 1800 seconds.

   The farm id of the requested farm can also be added to the callback url. If the callback url contains {{FARM_ID}} it will be replaced with the farm id of the currently active farm.

   The username of the authenticated user can also be added to the callback url. If the callback url contains {{USER}} it will be replaced with the username of the currently logged on user.

2. Sign this temporary token with your croplet client secret.
   Sign it using the sha1 hash:

   sha1(temporary token + croplet client secret)

3. Post both the temporary token and the signed temporary token to our system using the following POST request.
   /oauth2/validate_temp_token
   
   Example with `wget`:
   

   wget https://dacom.farm/oauth2/validate_temp_token --post-data 'token=$TEMP_TOKEN&signed_token=$SIGNED_TEMP_TOKEN'

4. If the above requests validates the actual access token is returned in a json response, use this access token to authenticate the user and send requests to our API.
   
   Example succesfull response:
   

   {'token': 'user_oauth_token'}

Error handling

If the temp token has expired, an invalid signed temporary token or any other error occurs an HTTP 500 errors response is returned.

Note