Summary
Lofty API
"API" stands for "Application Programming Interface." An API is software that allows two applications to connect. Lofty has an "Open API" meaning users or vendors can access available endpoints as long as they have account credentials.
Accessing Lofty's API
To access Lofty's API, please see https://api.lofty.com/docs/index.html.
(1) API Key
If you are integrating another application with Lofty and it asks for your Lofty API key, here is where you can find that. Navigate to Settings > Integrations > API:
(2) Developer Access
If you are a developer and you are looking to build an API connection with Lofty, please review the details in Lofty OAuth 2.0.
Lofty OAuth 2.0
OAuth 2.0 is an open standard for account access authorization without requiring passwords to be provided to third parties. This method provides developers with a secure way to access Lofty API data on behalf of Lofty platform users. Most commonly, OAuth 2.0 authentication is useful to set up integrations between third-party applications (referred to as "vendors") and Lofty.
For reference, here is Lofty's API https://api.lofty.com/docs/index.html
- Create a Developer Account
- Register an Application
- Review Process/Results
- OAuth 2.0 Implementation
- Lofty User Experience
Create a Developer Account
First, access the Lofty Developer Platform.
To create a developer account, click on the Sign Up link:
Provide all of the required information and then click Sign Up:
Your credentials should be auto-generated so you can click on the login button to access your new developer account:
Register an Application
*Note: You can repeat this process multiple times if you have multiple applications that you are connecting with Lofty.
Once logged into your developer account, you will be presented with your authorizations dashboard:
To start a new application click on the + Add More Authorizations button:
Provide all of the required information and then click on the Submit button to apply.
- App Name
- Website
- Authorized Redirect URL
- The "Authorized" or "Denied" status will also be returned in this URL
- Description
- App Logo
- Primary Contact Name
- Primary Email
- Primary Phone Number
Once you hit submit, your application will be listed on its line within the authorizations dashboard along with the following columns:
- App
- Website
- Authorized Redirect URL
- Client ID
- Client Secret
- Description
- Primary Contact Info
- Status
- All
- Under Review
- Approved
- Rejected
*IMPORTANT: If at any time you need to update your application details, please reach out to the Lofty Support Team (support@lofty.com) and they will work on doing so manually.
Review Process/Results
After submitting your application, you will be able to monitor the status via the Lofty Developer Platform. Simply log in access your authorization dashboard and review the Status column at the far right.
Under Review
This status will display until the application is reviewed and either approved or rejected. This process should only take around three business days. If you do not receive a response before then, please send an email to Lofty Support (support@lofty.com).
Rejected
If rejected, the primary contact submitted with the application will receive an email with more details on why it was rejected. You can then click the Resubmit button to edit the information provided before submitting again.
Approved
If approved, you will see the client_id and client_secret in your account. You will need this information for the next step.
client_id
client_secret
OAuth 2.0 Implementation
In this section, we will discuss setting up OAuth 2.0 to authenticate users of your app and then demonstrate how to make a call to Lofty's API using the Access Token. This diagram is provided as a visual representation of this process:
User Authentication
Before your application can access private data using Lofty's API, it must obtain an Access Token that grants access. There are several ways to make this authorization request, for example, a JavaScript application might request an access token using a browser redirect to Lofty.
Once redirected to Lofty, the user needs to log into their Lofty account. After logging in, the user is asked whether they are willing to grant the permission that their application is requesting. This process is called user consent.
Your server doesn't need to do anything at this stage except wait for a response from the Lofty server to indicate whether the access is granted or not.
HTTP
https://lofty.com/page/vendor-auth.html?clientId=${clientId}
Parameter Description
|
Column
|
Type
|
Description
|
|
client_id
|
String
|
Determine which client is making the request. The parameter value passed must be the same as the one displayed in the Developer Platform.
|
The Lofty server will send the response to the Authorized Redirect URL you submit in your application. The Auth_Code or error message that is returned to your server appears on the query string, as shown below:
Auth_Code Response
If the user grants permission, the Lofty Server will send the Auth_Code to the Authorized Redirect URL.
HTTP
https://oauth2.example.com/auth?code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7
Error Response
If the user does not grant permission, the server returns an error.
HTTP
https://oauth2.example.com/auth?error=access_denied
Using Auth_Code to get Access Token and Refresh Token
After your application server receives the Auth_Code, you can use it to exchange the Access Token and Refresh Token.
You can then use the Access Token to call Lofty's API on behalf of the user.
HTTP
POST api/user-web/oauth/token HTTP/1.1
Host: crm.lofty.com
Content-Type: application/x-www-form-urlencoded
Headers:
Authorization:Basic atughMaQm6bTrgtp7bas=
code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
client_id=&
redirect_uri=https%3A//oauth2.example.com/code&
grant_type=authorization_code
Parameter Description
|
Column
|
Type
|
Description
|
|
client_id
|
String
|
The client ID was obtained from the Vendor Credentials page.
|
|
code
|
String
|
The authorization code returned from the initial request.
|
|
grant_type
|
String
|
As defined in the OAuth 2.0 specification, this field's value must be set to authorization_code.
|
|
redirect_uri
|
String
|
One of the redirect URIs listed for your project in the Vendor Credentials page for the given client_id.
|
|
Authorization
|
String
|
Basic Auth, Base64 of "{clientId}:{clientSecret}"
|
The following is the description of the returned fields:
|
Column
|
Type
|
Description
|
|
access_token
|
String
|
The token that your application sends to authorize a Lofty API request.
|
|
expires_in
|
int
|
The remaining lifetime of the access token is in seconds.
|
|
refresh_token
|
String
|
A token that you can use to obtain a new access token. Refresh tokens are valid until the user revokes access or created more than 180 days.
|
|
token_type
|
String
|
The type of token returned. At this time, this field's value is always set to Bearer.
|
|
scope
|
String
|
Currently a fixed value, "openApi"
|
Refreshing Access Token
Access tokens periodically expire and become invalid. You can use the Refresh Token to refresh and obtain a new Access Token without prompting the user for permission
HTTP
POST api/user-web/oauth/token HTTP/1.1
Host: crm.lofty.com
Content-Type: application/x-www-form-urlencoded
Headers:
Authorization:Basic atughMaQm6bTrgtp7bas=
refresh_token={your refresh_token}&
grant_type=refresh_token
Parameter Description
|
Column
|
Type
|
Description
|
|
client_id
|
String
|
The client ID was obtained from the Vendor Credentials page.
|
|
code
|
String
|
The authorization code returned from the initial request.
|
|
grant_type
|
String
|
As defined in the OAuth 2.0 specification, this field's value must be set to refresh_token.
|
|
redirect_uri
|
String
|
One of the redirect URIs listed for your project in the Vendor Credentials page for the given client_id.
|
|
Authorization
|
String
|
Basic Auth, Base64 of "{clientId}:{clientSecret}"
|
The following is the description of the returned fields:
|
Column
|
Type
|
Description
|
|
access_token
|
String
|
The token that your application sends to authorize a Lofty API request.
|
|
expires_in
|
int
|
The remaining lifetime of the access token in seconds.
|
|
refresh_token
|
String
|
A token that you can use to obtain a new access token. Refresh tokens are valid until the user revokes access or created more than 180 days.
|
|
token_type
|
String
|
The type of token returned. At this time, this field's value is always set to Bearer.
|
|
scope
|
String
|
Currently a fixed value, "openApi"
|
Lofty User Experience
As a sample of what the user experience would look like if this was configured, please reference Managing Authorization by Third-Party Apps & Services.
Vendors Accessing User Data
Make sure you have your Client ID handy. For this sample, we're going to use YOURCLIENTID
The authorized redirect URL provided by vendor to receive code is https://YOURAPP.com/redirect
Vendors cannot pull data from any Lofty users unless the Lofty user started the integration themselves.
If a Lofty user wants to use wants to use your approved app
- Make sure they are logged in to Lofty on their browser
- The Lofty user can find your app using your link: https://crm.lofty.com/page/vendor-auth.html?clientId=YOURCLIENTID
- The Lofty user will click Authorize to add your app
Our system will validate the Lofty user's account login cookies and your Vendor ID. If both are successfully validated, then our system will generate a short-term authorization code and send to the provided vendor callBack URL (NOT TO the Lofty user)
Once you receive the code, use the following API to obtain the bearer token using the customer's authorization code:
curl --location 'https://crm.lofty.com/api/user-web/oauth/token?code=THEIRAUTHORIZATIONCODE&client_id=YOURCLIENTID&redirect_uri=YOURAPP.COM/REDIRECT&grant_type=authorization_code' \
--header 'Authorization: Basic {Base 64 of the client_id:clientSecret} \
--header 'Content-Type: application/x-www-form-urlencoded'
- This is only done on the Vendor side if they want to obtain the bearer token
After the bearer token is obtained, Vendors can use the token to get data from the Lofty user's account using Lofty Open API. This data can be used for your own integrations or apps.
Since the bearer token is provided to the vendor directly, Agents are not allowed to rotate them. If an agent wants to disconnect from a connected integration, they can by clicking Disconnect.
Rebranding from api.chime.me to api.lofty.com
For vendors/partners utilizing the old API, you need to make this change before September 30, 2024. Please refer to the sample below:
FROM:
curl --location 'https://api.chime.me/v1.0/me' \
--header 'Content-Type: application/json' \
--header 'Authorization: XXXXXXXXXXXXXXX' \
--data ''
TO:
curl --location 'https://api.lofty.com/v1.0/me' \
--header 'Content-Type: application/json' \
--header 'Authorization: XXXXXXXXXXXXXXX' \
--data ''
Questions?
If you have any questions regarding this topic or any others, please reach out to our Support Team via email at <support@lofty.com>, by phone at 1 (855) 981-7557, or by chat with us through your Lofty CRM.
Related terms: Open API, Developer Platform
Comments
0 comments
Article is closed for comments.