MYOB API Authentication Not Working

6magics · September 2022

Hi, I've been struggling on and off for several weeks trying to get API access working outside of a postman environment using python scripts. I managed to get the initial token refresh request (to https://secure.myob.com/oauth2/v1/authorize/) working fine and my scripts recieve valid access tokens with every request.

My issue is when performing any other request other than refreshing the token, I am met with an unauthorized error and no additional information.

For a standard get request from the api, my request headers are as follows:

"Authorization": "Bearer " + cache["MYOB_ACCESS_TOKEN"],
"Cache-Control": "no-cache",
"Accept": "*/*",
"Accept-Endoding": "gzip, deflate",
"Connection": "keep-alive",
"x-myobapi-cftoken": cache["BASE64_CREDENTIALS"],
"x-myobapi-version": "v2",
"x-myob-api-key": cache["MYOB_API_KEY"]

These headers are exactly the same as those used in the postman environment (except for the cftoken) so I'm absolutely baffled as to what the issue with the authentication processes is.

An example of the requests attempting is as follows:

URL: {{company_file_uri}}/{{company_file_id}}/Sale/Invoice/Service

r = requests.get(url, headers=get_headers())

Interestingly, I've noticed that the refresh token response for my python requests is missing several attributes that are described in the API docs. My response only includes 'access_token' and 'scope', while the docs specify 'access_token', 'token_type', 'expires_in', 'refresh_token', 'user':{ 'uid', 'username'}; it is worth noting that these attributes do exist in the postman response for the refresh token request.

I have also noticed that this request does not work in postman or python.

https://secure.myob.com/oauth2/v1/Validate?scope="CompanyFile"

kjm · September 2022

unauthorised seems to suggest it is well formed but has something to do with key or token...have you encoded it correctly..I recall I had a similar issue and needed to escape data string to get it going...sorry dont recall exactly what I did

what the url you are querying? put in the full route

here is my get request from the NET SDK from a trace in Fiddler. This works.
I would;

1. Get rid of Cache control header

2. Get rid of Accept header

3. Modify Accept-Encoding to only include gzip

4. Get rid of Connection header

I can't promise that will make any difference but I have had issues where otherwise harmless headers have prevented me fro getting it working. As you can see this is from the .NET SDK. I have a restsharp client that contructs it as well but I dont have the trace for it here. If you are still stuck afte rthis then reply and I'll get it to you and you can compare then

GET https://arl2.api.myob.com/accountright/f173[TRUNCATED]aa/Payroll/PayrollCategory/Wage/ HTTP/1.1
Authorization: Bearer AAEAAEX[TRUNCATED]CclRjZRxLZM
Accept-Encoding: gzip
User-Agent: MYOB-ARL-SDK/2022.6.425 (+http://developer.myob.com/api/accountright/v2/)
x-myobapi-key: xdf[TRUNCATED]dye
x-myobapi-version: v2
x-myobapi-cftoken: QWRt[TRUNCATED]N0Wjgj
Host: arl2.api.myob.com

6magics · October 2022

I just tried removing those headers but had no luck.

I have not personally encoded any of the keys or tokens except for the x-myobapi-cftoken containing the credentials which is b64 encoded. I'm not sure if the python requests module automatically applies and encoding scheme but I haven't run into any issues with that when requesting other APIs.

An example request that I've been using is:

GET: https://ar1.api.myob.com/accountright/{{company_file_id}}/Sale/Invoice/Service

kjm · October 2022

Asking the obvious: have you actually got permission to login to the file online using the user credentials you are sending??

install Fiddler and capture your request and see what is getting sent exactly. Your example is your call from your code. Capture the actual request and examine that. From there you can start to see what is going wrong. My example is capture from Fiddler and shows a successful call
@6magics

Here is a call from RestSharp .NET library which is just a lib around a httpclient to simplify calls to API

GET https://api.myob.com/accountright//f173ad4{TRUNCATED}aaa/Sale/Invoice HTTP/1.1
authorization: Bearer AA{TRUNCATED}3TWg-WJ
x-myobapi-cftoken: QWRt{TRUNCATED}Wjgj
x-myobapi-key: xd{TRUNCATED}ye
x-myobapi-version: v2
Accept: application/json, text/json, text/x-json, text/javascript, application/xml, text/xml
User-Agent: RestSharp/108.0.2.0
Host: api.myob.com
Accept-Encoding: gzip

I am Base64Encoding the cftToken