How to create apikey and secret from username and password

Gail Dolormente

Hello

We currently have a mobile application (iPhone and Android) that captures a username and password that is passed to the api, https://campbellhall.myschoolapp.com/api/authentication/login, for authentication. From my understanding that api no longer accepts username and password but now requires an apikey and secret combination in place of username and password.

My question is how how do you pass the username and password from a mobile device to get the apikey and and secret combination?
Does anyone have a working example on how this is done?

Thanks

Bryna Gleich

There are 2 APIs for Education Management.

SKY API for Schools

Its discussions are in the SKY Developer user community (where you are now)

Its documentation is

We recommend all new development use the SKY API for Schools.

Legacy “ON” API

Its discussions are in the K-12 Education Management user community

Its documentation is

This API is still supported, but is no longer being expanded.

The Legacy “ON” API recently changed to requiring Authentication Tokens (Secret and Key).

The tokens are created in Education Management by a user with the ON API Access Manager role for the user account that runs the API app. (Go to Core. Select Security. Select Authentication settings. Select ON API Access.) A platform manager must grant the ON API Access Manager role to another user and/or to themselves. A platform manager can manually assign these roles through the access tab on an existing user's profile in Core via the Access tab.

This was announced in release notes for Education Management and in the Education Management user community blog and discussions beginning in February, to give schools time to prepare for the change due in July.

The ON API Access manager creates the tokens and shares them with the developer or application. The manager also updates the user account's roles in Education Management and can invite the user to authenticate with Blackbaud ID (they'll still use the Key and Secret for their API app).

If the API app has a user interface that previously took a legacy username and password, you can use that UI and enter the Key and Secret in place of the old information, thus avoiding a code change.

Alternatively, a developer can update the POST for the API app to use the new information.

Route: https://{school}.myschoolapp.com/api/authentication/login.

The body of the POST should contain the following JSON structure:

{

"username": "KEY",

"password": "SECRET"

}

Gail Dolormente

Hi Bryna

Thanks for the resources and guidance. I'm looking through the documentation and understand we need to pass a username/key and password/secret combination for authentication.

Say for example, I have a parent who previously was able to use their username/password to log into our mobile application using (again just an example) johndoe/1234567 as their username and password. And let's say with the new update the key/secret is something like 9876/wxyz. The value passed would be like this:
{
johndoe: 9876
1234567: wxyz
}
That would be the correct format as you described?

Now, expanding on the example, I have another parent who's login username/password would be janedoe/a1b2c3. Would the key/secret combination still be 9876/wxyx like this:
{
janedoe: 9876
a1b2c3: wxyz
}
or is the key/secret combination unique for reach user? what if we have 1000+ users? do we need to generate a unique key/secret combination for each of the 1000+ users?
or is the key/secret combination unique for each organization?

Thank you as this will clear up some questions I had going through this.

Bryna Gleich

Gail Dolormente:

Hi Bryna

Thanks for the resources and guidance. I'm looking through the documentation and understand we need to pass a username/key and password/secret combination for authentication.

Say for example, I have a parent who previously was able to use their username/password to log into our mobile application using (again just an example) johndoe/1234567 as their username and password. And let's say with the new update the key/secret is something like 9876/wxyz. The value passed would be like this:
{
johndoe: 9876
1234567: wxyz
}
That would be the correct format as you described?

Now, expanding on the example, I have another parent who's login username/password would be janedoe/a1b2c3. Would the key/secret combination still be 9876/wxyx like this:
{
janedoe: 9876
a1b2c3: wxyz
}
or is the key/secret combination unique for reach user? what if we have 1000+ users? do we need to generate a unique key/secret combination for each of the 1000+ users?
or is the key/secret combination unique for each organization?

Thank you as this will clear up some questions I had going through this.

The format should be:

{

"username": "9876",

"password": "wxyz"

}

Literally put the key and the secret where the old info used to go. One replaces the other in the existing code.

The key and secret are for the person who develops and manages the app, not necessarily for a parent who merely benefits from the app.

Gail Dolormente

Hi Bryna

Thanks for much for your reply!

Ok, it does sound like the key/secret is per developer or per organization. I was worried about how to generate the key/secret for each user we have.

I'll move forward with this, this is really useful information.


Thank you again,