Authorization in public integrations

When developing a public integration, with or without a widget you need to create a private integration. After creating a private integration you need to pass it to moderation, if it passes moderation successfully it will be shown in the public marketplace.

At the moment integrations without widgets cannot be shown in the main list of integrations, but they do get more capabilities than private ones (more on statuses)

Access to the API of the account can be achieved by a few means:

  1. From installing a button on site.
  2. Getting a code from the interface.
  3. Via a Webhook, that will be sent to Redirect URl after installing the widget.

Let discuss each way in more detail:

  1. If your integration works with amoCRM only via API and doesn’t use a widget in it, the best way to get access to the API will be the button for authorization on site. When clicking the button a user will have to choose accounts where he is a user in and if he will be granted access he will be redirected to the page with Redirect URl with GET parameters – code, referrer, state. After that the user will see the integration in the installed list. Please note, to pass the moderation, these integrations need to fully indicate the functionality, where the integration can be installed, where pricing can be found (if there is one) and possibilities. In future such integrations will be part of the marketplace and will be shown in the lists.
  2. If your integration is private, the most simple way to get code of authorization, is copying it from the integration window. Next, you need to exchange it for an Access token and you can use API.
  3. If your integration has a widget in it, whether it is public or private, when installing the widget from amoCRM’s interface you will get a Webhook to the indicated settings of the integration Redirect URl with GET-parameters – code, referrer, from_widget. The parameter code has an Authorization code, parameter referrer – address of the account of the user, parameter from_widget – says that the request was sent because of the installation of the widget. Limitation on sending webhooks from our side – 3 seconds. Code of the answer is not checked, additional sending is impossible. Please note, that in widgets it is strictly prohibited to use virtual clicks on the install button.

How to check the mechanism of authorization without passing moderation?

If you develop a service that will work via API, you can use the functionality of the button on site with limited features, before passing through moderation. In the window for getting permissions only one account can be chosen – the one where integration was created. After selecting an account the same mechanism of redirecting users will start, as for public integration.

If you develop an integration that has a widget and a backend part, that works with our API, you always can get a webhook when installing/enabling a widget, it doesn’t matter if your widget is public or private.

Technical account

We consider an account as a technical for integration, if integration was created in it. Change the name of it, description, activity. Updates can be done by any administrator, only from that account. All questions about developing and moderation of the widget need to be sent to the support chat of such a technical account.