How to Generate Access Token Without User Interaction for Nightly API Data Sync

Brilliant Associates
Brilliant Associates
in SKY Developer General Discussions

Hi community,

We're planning to consume Blackbaud API data on a nightly basis as part of an automated process. For this to work, we need to generate an access token without requiring any user interaction each time.

What is the recommended way to implement this?
Is there a way to use client credentials flow or any other method supported by Blackbaud that allows us to programmatically obtain tokens?

Any guidance or documentation would be greatly appreciated!

Thanks in advance.

Comments

  • Eric Eskildsen
    Eric Eskildsen
    Sixth Anniversary Kudos 1 Name Dropper Participant

    Hi, Blackbaud doesn't provide client credentials flow. However, you can still do this programmatically. The only time you need user interaction is the very first authorization. After that, you can get access tokens and new refresh tokens programmatically forever. You never need to authorize interactively again.

    Here's one way to do this:

    46ca8773286e2e038de06095ac01f82c-huge-im


    • Get a refresh token by sending an HTTP POST request to https://oauth2.sky.blackbaud.com/token.

      PowerShell example:

      $response = Invoke-RestMethod https://oauth2.sky.blackbaud.com/token -Method Post -Authentication Basic -Credential ([pscredential]::new('YourAppsClientId', (ConvertTo-SecureString 'YourAppsClientSecret' -AsPlainText -Force))) -Body "grant_type=authorization_code&code=YourCode&redirect_uri=https://localhost/"

      Replace YourAppsClientId, YourAppsClientSecret, and YourCode.

    • The refresh token is in $response.refresh_token. Save that to your database or credential manager. Also record the date it was retrieved. It will expire in 365 days. You'll need to renew it before then. Renewal can be done fully programmatically.

    • At any time during the refresh token's lifetime, programmatically get an access token from the refresh token like this:

      $response = Invoke-RestMethod https://oauth2.sky.blackbaud.com/token -Method Post -Authentication Basic -Credential ([pscredential]::new(YourAppsClientId, (ConvertTo-SecureString YourAppsClientSecret -AsPlainText -Force))) -Body "grant_type=refresh_token&refresh_token=YourRefreshToken&preserve_refresh_token=true"

      Replace YourAppsClientId, YourAppsClientSecret, and YourRefreshToken.

      The access token is in $response.access_token. Access tokens expire in 1 hour.

      Notice preserve_refresh_token in the request. This prevents Blackbaud from expiring your refresh token and generating a new one.

    • You can make API requests using the access token like this:

      $response = Invoke-RestMethod YourApiUrl -Header @{'Bb-Api-Subscription-Key' = YourBlackbaudApiSubscriptionKey; 'Authorization' = "Bearer YourAccessToken"}

      Replace YourApiUrl, YourBlackbaudApiSubscriptionKey, and YourAccessToken.

      You can find your Blackbaud API subscription key here: https://developer.blackbaud.com/subscriptions/. Click Show under Primary access key to view it.

    • Renew your refresh token any time before the 1-year expiration. You can do this by making an access token request and leaving off preserve_refresh_token=true. This causes a new refresh token to be included in the response.

      $response = Invoke-RestMethod https://oauth2.sky.blackbaud.com/token -Method Post -Authentication Basic -Credential ([pscredential]::new(YourAppsClientId, (ConvertTo-SecureString YourAppsClientSecret -AsPlainText -Force))) -Body "grant_type=refresh_token&refresh_token=YourRefreshToken"

      Replace YourAppsClientId, YourAppsClientSecret, and YourRefreshToken.

      The access token is in $response.access_token like before. There's also a new refresh token in $response.refresh_token.

    I hope this helps! Let me know if you have any questions.

Categories