Popup

Getting startet on a new client:

Our api uses the OAuth 2.0 Client Credentials Grant flow , and to get started on a new client you need to get a unique clientkey from the client. A user on the client is responsible for activating your integration on the client, thus concenting to giving your integration read or write acces to the client via our api's.

The user on the client must either have the role of an administrator, or have the user privelige "settings -> Organization" in order to activate the integration. There are two main routes to activate an integration on a client in Go, see below.

Onboarding from your end:

If your integration implement our onboarding solution, the process of activating your integration on a Go client can be started from your system/website.

This onboarding workflow is a process that is initiated in your end (your system), allowing a user to login to Go and accept onboarding and activation of your integration for the relevant client(s) the user have access to. The end result of the onboarding is that your integration is activated on the client(s), and the client key(s) returned to you in a secure manner abstracted from the user. Meanwhile, the user is redirected to an url of your choosing.

Onboarding manually from Go:

Public integrations:

A public integration will be directly visible and searchable by name in the list of integrations in the Go user interface, when the user want to activate the integration on the client. The user navigates to Menu -> Settings -> Extensions -> Add extension, and find your integration by name.

Internal (private) integrations:

Internal integrations, not meant public/commercial use, will not be directly visible and searchable by name in the list of integrations in Go. The user then need to add a "Custom extension" when navigating to Menu -> Settings
-> Extensions -> Add extension.

A "Custom extension" require that the user inputs the application key. This means that you will need to supply the client user with the application key in order for the user to activate your integration.

Security - client key delivery:

Regardless of public/internal state, the user will be presented with window with the client key visible. It is important that the client key is copied and stored in a secure manner, before the user press "OK" and activate the integration. When the window is closed and the integration activated, the client key is salted and hashed by the system, and will be masked. It is not possible to retrieve the client key again from Go, once activated. Should the client key be lost, a user need to delete the integration and reactivate it on the client in order to generate a new client key.

The client user should deliver the clientkey to you in a secure manner, preferably not by e-mail and if so encrypted with the key and encryption password sent separately. If the client can login directly into your system an paste the clientkey in their settings, this is a viable option. All parties need to consider the clientkey a secret, and treat it as such. This also means that you should mask the clientkey in your user interface, if the user can manage integration settings in your system.