I created a company web app that interfaces with Trello. The Web App acts as an entry point and captures data, which is then fed to the Trello API to create / update cards. I created an “interface user”, to be the intermediary. I generated a key and a token for this interface user and the app submits trello api requests on behalf of my actual users.
In the next release of this company app, we wish to roll out to a bunch of users. I would like to change the logic of the authentication to “authorize” the web app to use each person’s account instead of this one interface user.
Trello API key is tied to a user. You cannot use the same API key to generate a token for another account (trellodev). You can go to https://trello.com/app-key/ in order to retrieve the API key for the account you’re logged in to.
I understand that will work… if the users generated their own api keys. I thought based on the article the api key acts as an “app key” of sorts and you use it to request different tokens, including tokens for different users once they approved app access to the account.
My question now is… how do I programmatically get each user’s api key and token that is going to use the company app? Can I make a REST call to https://trello.com/app-key/ to get the app key, then run 1/authorize for the token? Or does each user need to manually get their api key, send it to me, then I store it in a database?
FYI… I forgot to mention… thank you very much for your reply and I appreciate any insight you can offer in helping me with Trello authorization / integration.
Your understanding of the authorization flow is correct and the process you are trying to follow is the right one. You should only use the one API key to generate tokens for each user. One key and many tokens.
I’m surprised by this. If you’re logged in as the second user, do you see meta-data for the token that was generated when you go to: https://trello.com/1/members/me/tokens?
That API endpoint should list all of the tokens that belong to the user.
Yes I do. In the meta-data, it lists the correct identifier: CE Webtools. It also lists the correct expiration, and permissions. I cannot see the key anywhere to validate it.
Same key, 2 different tokens. They both returned successful!
I went back to the offending Postman tab. I compared EVERY character in the url. It all matched. Still returned “invalid token”. I don’t know what was screwy about that tab. But, I will simply move on with this approach since it is actually working.
The api.-less URL shouldn’t be used for anything other than poking around. Although it does work, it is reserved for use by first-party clients. It is a great way to quickly test API routes though because it will use your logged-in Trello user’s authentication if no key/token are present.
