Skip to main content

Enduco API Integration

This documentation describes the integration process and technical standard required for enduco API.

T
Written by Thomas Bruckmann
Updated over 2 weeks ago

1 Integration Preparation

Test environment domain is https://beta-api.dev.enduco.app/
Public environment domain is https://api.prod.enduco.app/

1.1 Integration Application

Send a email to [email protected] with the following information:

  • Company Name

  • Company Website

  • Application Name

  • Application Logo

  • Application Description

  • Email Address for communication and access to the Management Interface

  • Needed Scopes

Available Scopes:

workouts_write

Allows to upload finished workouts as FIT File to the enduco user account

plans_read

Allows to fetch training plans up to 7 days in the future

user_read

Allows to fetch the users Intensity Zones

After the application is approved, enduco will issue a clientId and clientSecret and access to the providers management interface. Enduco reserves the right to terminate this credentials at any time.

2 Authorization Agreement

Enduco's API is based on OAuth 2.0 Protocol.

2.1 Request Authorization to access user data

Redirect your users to this URL to authorize access:

GET <ENDUCO DOMAIN>/oauth2/authorize?response_type=code&client_id=<YOUR CLIENTID>&redirect_uri=<REDIRECT_URL>&scope=<SCOPES>&state=<STATE>

  • REDIRECT_URL is a redirect URL that should be used when user approved the request

  • SCOPES is a space delimited list of scopes to be requested

  • STATE is the state generated on your side

If the user is not already logged it, the login page will be shown and after successful login the user can approve/cancel your request.

On Success the user will be redirected to your redirect url:

GET <YOUR REDIRECT URL>?code=X4XyxP234J6fDnQZiw7bdyXNNDpgZO_j_0lmXB7aPNQZYM_VCNdrEc13O8t0iQHzgeX5YUiayyLsPMR7FjmrC4Ca0ZsZtwlvIN7ZYZZaaE-BEs7D1Chf6PbcWajKvPTY&state=<STATE>

  • STATE will be the same value you gave in the request before

  • the code can be used to request an access token and refresh token

To request the access token and refresh token, send the following request:

POST "<ENDUCO DOMAIN>/oauth2/token"

Authorization: Basic <CLIENT_ID>:<CLIENT_SECRET>
Content-Type: application/x-www-form-urlencoded
Body:
  grant_type=code
  code=<CODE>
  redirect_uri=<REDIRECT_URL>

  • CLIENT_ID is your clientId

  • CLIENT_SECRET is your client secret

  • CODE is the code you received before

  • REDIRECT_URL is the redirect URL the user should be redirected to after success

The response here will be an access token and refresh token with expires_in for the accesstoken:

{
"access_token": 
"eyJraWQiOiI2ZGNhMjg0ZS0xNjA1LTQ0MzUtOWEzMi1lN2E2MjRmMzA1NjAiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI2NDY0YzI1MWQzMTU4OTRlODJiNWU4NTciLCJhdWQiOiJJQ19UUkFJTkVSIiwibmJmIjoxNzYzMzgzNDY1LCJzY29wZSI6WyJ1c2VyX3JlYWQiLCJwbGFuc19yZWFkIiwid29ya291dHNfd3JpdGUiXSwiaXNzIjoiaHR0cHM6Ly9iZXRhLWFwaS5kZXYuZW5kdWNvLmFwcCIsImV4cCI6MTc2MzM5MDY2NSwiaWF0IjoxNzYzMzgzNDY1LCJqdGkiOiI4MmQ4NmVmNC05Y2EwLTQ1YjEtYjMyMC0yN2MxZjQyODdlNTgifQ.u7HmgBab9n0tXIj6K_31y-Nvw4PcqKwJsdx6oIuXEdWX22W8XO4Y6uTxC6pIDSmEr_a2OotZR5mQYY_fb4ptFTsnneMg_LAYhcprq0JcSo_FgLynKBMznLsfw5l6DxqI99P_Nze0y2bRUED5eyJEz7pH_ZFAj0UKz6BZ06rAHLQeJeAeeztdL6LoId8LHq85oY685OexPN37zUBbq7Qrokjap9Db9TA2sHSQkfr5mrozT5-kwD25sRNlCXkZclk19eNP0I8a9Ugy7W4AcmPBm-M4TgohsJEM-u7a9TVsQre7xfruThQi2A_KFLGCjP3cZd8JnbFewb1_QnxQoM240g",
"refresh_token": "efe5f3y75MXyatBoTFPYrhUekx0v-8k44bMsJuEsA4kPjtWAf2rS6OQB6xkVv0GZDWs9X5NDFEb5OAQKTpMPKaEZcYRzRpe-MM6nURzw6wz1O0x9lHTHUkqNm-arT-8b",
"scope": "user_read plans_read workouts_write",
"token_type": "Bearer",
"expires_in": 7199
}

The accesstoken can be used to access users data, the refresh token can be used to refresh the access token.

2.2 Refresh Access Token

To refresh the access token, send the following request:

POST "<ENDUCO DOMAIN>/oauth2/token"

Authorization: Basic <CLIENT_ID>:<CLIENT_SECRET>
Content-Type: application/x-www-form-urlencoded
Body:
  grant_type=refresh_token
  refresh_token=<REFRESH_TOKEN>
  clientId=<CLIENT_ID>

2.3 Revoke Token

When a user disables the access on your side, send this request that the token will be deleted on our side:

POST "<ENDUCO DOMAIN>/oauth2/revoke"

Authorization: Basic <CLIENT_ID>:<CLIENT_SECRET>
Content-Type: application/x-www-form-urlencoded
Body:
  token_type_hint=refresh_token
  token=<REFRESH_TOKEN>


3 Provider Management Interface

At "<ENDUCO_DOMAIN>/providers/login" you can find the management interface. When you are approved you will receive credentials to access this area, ensure to change the password at your first login.

In the interface you can adjust the following things:

  • Friendly Name of your Company

  • Logo URL of your Company

  • Of course the password for the providers-login

  • Add/Remove allowed Redirect URLs (ensure all used URLs are configured here)

  • Deregister Webhook URL (We will send a notification to this URL if a user cancles the access from our side)

  • Plan Changed Webhook URL (We will send a notification to this URL if the plan of the user has be adjusted)

At the bottom you see the allowed scopes for your account, if you need more, contact us at [email protected].

Did this answer your question?