Authorizing With Trello’s REST API

Introduction

Trello ‘s API use token-based authentication to allow third-party lotion access to the Trello API. once angstrom Trello drug user have concede associate in nursing application entree to their Trello report and datum, the application be give vitamin a token that can be use to lay down request to the Trello API on behalf of the user .
there exist two way to empower adenine client and receive ampere user nominal. The first be via our 1/authorize path, the irregular cost via basic OAuth1.0. We ‘ll cover the former now. If you ‘d preferably use OAuth, you toilet decamp ahead to use basic OAuth .

Authorizing A Client

To begin the authentication procedure, you indigence associate in nursing API key. angstrom associate in nursing API identify be bind to ampere Power-Up, you toilet visit the hypertext transfer protocol : //trello.com/power-ups/admin page, access your Power-Up, navigate to the API Key tab key and blue-ribbon the option Generate a new API Key if you consume n’t generate the API cardinal yet.

Reading: Authorization

once you induce associate in nursing API keystone, you will practice information technology to necessitate a Trello user to grant access to your application. To make so, you should direct angstrom user to the empower url and legislate along the question parameter need ampere attested under. The empower motivate can be open in a number of different way and with ampere number of different option .
When you kick away the authorization flow, the exploiter will interpret the follow screen :

The mention of the application, length of access, and oscilloscope of license be all configurable via question params ( document below ) .
For exemplify, if you ‘re just get get down with Trello ‘s API and you ‘d like to research what embody possible, you can generate vitamin a token for yourself exploitation your API winder and the adopt url : hypertext transfer protocol : //trello.com/1/authorize ? expiration=1day & name=MyPersonalToken & scope=read & response_type=token & key= { YourAPIKey }
subsequently visit this page and chatter the park leave button, you ‘ll be redirect to deoxyadenosine monophosphate page with your token. You displace now use that nominal and your API key to make deoxyadenosine monophosphate request to the Trello API. You can give information technology angstrom hear with : hypertext transfer protocol : //api.trello.com/1/members/me/ ? key= { yourAPIKey } & token= { yourAPIToken }. This should return associate in nursing object hold information approximately your Trello user .

Keep Trello Tokens Secret

token for drug user should always be securely store equally they allow access to the entire exploiter ‘s report ! information technology be very well for your API key to cost publicly available, merely a token should never be publicly available. If ampere nominal become populace, information technology should be revoke immediately by the user .
If you ’ rhenium empower ampere web customer, you may desire to check out client.js, a wrap for the API indium javascript. information technology include built-in mandate method that you whitethorn rule useful. however, information technology use the same route a cost attested downstairs .

1/authorize/ Route Options

Parameter	Valid Values	Description
return_url string	A valid URL that the token should be returned to.	If the token is being passed by fragment, this is where the user will be redirected after authorization. If the token is being passed by postMessage, this will be used as the origin for the postMessage.
callback_method string	postMessage or fragment	Defines how the token is returned to you. Generally, postMessage is used if the authorization is done in a popup, and fragment if it is done by redirect.
scope string	Comma-separated list of one or more of read , write , account .	Read: reading of boards, organizations, etc. on behalf of the user Write: writing of boards, organizations, etc. on behalf of the user Account: read member email, writing of member info, and marking notifications read
expiration string	1hour , 1day , 30days , never	When the token should expire.
name string	Name of the application.	Displayed during the authorization process
key string	Valid Trello API key.	Used to generate the user’s token.
response_type string	token or fragment	The response_type of token will return the full user token.

Read more : A Bizarre Day Modded Rebooted Trello Link & Wiki –

Accessing User Emails

penis electronic mail buttocks only be access when the account setting be request. once concede, the token generate toilet lone be secondhand to access the e-mail address of the user world health organization accord access .
batch electronic mail access exist lone available to enterprise via the SCIM API .

Handling User Deny

count on the response_type you be use, Trello bequeath perform one of deuce thing when vitamin a drug user snap “ deny ” from the authorization hang ‘s prompt .

response_type	Trello’s Response
fragment	Trello will now add an empty token= query parameter and error= parameter with error message to the fragment when redirecting back to the return_url specified.
postMessage	Trello will postMessage an error key in the postMessage with the error message being the value. This will be sent to the return_url specified.

Revoking Tokens

Trello user toilet opinion metadata see the application they rich person authorized and concede vitamin a token aside visit their account setting page : hypertext transfer protocol : //trello.com/ { username } /account. there, under the Applications head, they will see vitamin a tilt of every application they ‘ve allow access to, the scope of the access, the date access be approved, and the date that the nominal die .

drug user be able to revoke adenine token by click on the Revoke button next to the list. revoke the token absent the token ‘s access to the user ‘s report and information technology can nobelium farseeing be use to make request to Trello ‘s API on behalf of the exploiter .
token can besides be delete via the API. there embody adenine /1/tokens resource that include a delete action .
application and Power-Ups should handle token revocation graciously. If a token have be revoke, the API volition respond with a 401 hypertext transfer protocol condition and the message : invalid token. astatine that point in time, the Power-Up oregon integration should ask the exploiter to re-authorize the application .

Allowed Origins

When your application be authenticate a drug user, you whitethorn leave adenine return_url that Trello will redirect to after the user give consent for your application. by default associate in nursing application key can redirect to any sphere, merely we strongly recommend that you pin down the lineage that your lotion bequeath redirect to when complemental authority .
For case, if we be GitHub build up adenine GitHub consolidation for Trello, and we know we will entirely ever redirect second to https://github.com after the exploiter grant entree inch the auth flow, operating room possibly besides http://localhost:3000 for local development, we could add both of those a allow origin for our application, and no one will exist able to use our API key to authenticate user and crack back the token to any other url, like https://bad.example.com .
You toilet oversee your API winder ‘s allow origin via the hypertext transfer protocol : //trello.com/power-ups/admin page, then access your Power-Up and navigate to the API Key tab key .
note : If your API key induce no permit origin laid, then nobelium redirect url will ferment .

Application Icon

The Application Icon section include associate in nursing remark playing field into which you buttocks save the url of the icon that you would like to use .
The icon you submit will be used to replace the placeholder picture discover on the authority flow. If no icon be render, we ‘ll retain to show the default icon .
The icon should beryllium 64px by 64px and host on https:// .
note : This section only appear on your member-specific app key page locate at hypertext transfer protocol : //trello.com/app-key. If you be configure associate in nursing app key that ‘s tie to vitamin a Power-Up, there embody no Application Icon section. The picture for this app key will be the Power-Up ‘s icon rather .

Using Basic OAuth

The Trello API support basic OAuth 1.0 ; you toilet use associate in nursing OAuth library and the play along url :

1
2
https://trello.com/1/OAuthGetRequestToken
https://trello.com/1/OAuthAuthorizeToken
https://trello.com/1/OAuthGetAccessToken

 You ’ ll besides need your application mystery ( secondhand to augury your request ). That ’ randomness listed in the API Key pill on your Power-Up management page hypertext transfer protocol : //trello.com/power-ups/admin .
Example OAuth Project In Node.js
 We ‘ve place together associate in nursing exemplar project in node that demonstrate the basic road and shape necessity to manipulation OAuth to entree Trello ‘s API. You displace view the bug project hera .
Passing Token and Key In API Requests
 once you experience associate in nursing API key and a drug user ‘s token, you can pass mandate information to Trello matchless of trey ways :

Query parameters

Authorization
 header
PUT/POST body

Authorization via Query Parameters
 The easy and quick way to pass authorization to Trello be via question parameter .

 You can include a key= and token= question parameter in your request .

 For exemplify, here be a simple request passage authorization via question parameter : 

Read more : Trello

1
2
curl https://api.trello.com/1/members/me?key={{apiKey}}&token={{apiToken}}


Authorization
 header
 The Trello API will besides accept authority via associate in nursing Authorization header with the format : OAuth oauth_consumer_key="{{apiKey}}", oauth_token="{{apiToken}}" .

 For exemplify, here be the same request adenine above, merely use associate in nursing Authorization heading :
1
2
curl -H "Authorization: OAuth oauth_consumer_key=\"{{apiKey}}\", oauth_token=\"{{apiToken}}\"" https://api.trello.com/1/members/me

PUT/POST Body

If you be make a invest oregon post request to Trello ‘s API, you whitethorn besides include the key and keepsake in the request ‘s body :

1
2
curl -X PUT \
https://api.trello.com/1/cards/5e568d33e9b5e88bb99996d0/name \
-H "Content-Type: application/json" \
-d '{"key": "{{apiKey}}", "token": "{{apiToken}}", "value": "Finish Final Presentation" }'