Usage scenario 1: Requesting data extracts
Use GET to URL: https://api.basware.com/v1/dataExtracts. You will receive a list of available data extracts.
Use "id" from above list and use GET to URL: https://api.basware.com/v1/dataExtracts/{extract_id}. You will get information about the content of that extract ID and a URL to download it.
Based on the type available in the information you can decide if it is an initial load or a daily delta extract.
Initial load
If the "type" in the list of the extracts is "Initial", the extract is for the initial load.
Initial load defines the data extracts that contain the data for all documents from your production environment, aligned with the Basware Cloud Services data retention period.
If you are a new customer and you are building the integration from day one, you do not need initial load.
Daily deltas
If the "type" in the list of the extract is "Delta", the extract is for the daily delta.
- Daily deltas are daily changes or changes from the last extractions.
- New documents
- Any document status changes
- Delta is available for one year from the creation date.
- Delta is created for each data set on a daily basis.
- Customers must build continuous delta flows. For example, if a customer wants to have data for the whole week, they must get the delta for each day.
- Delta is always a snapshot from the previous extract.
Acknowledge
After you have downloaded the files from the extract, and if you do not want the already downloaded extracts to be shown again, you can use the following API:
Use POST /v1/dataExtract/{extract_id}/acknowledge with the following message to mark them acknowledged. The acknowledged extracts will not show up again when fetching the list of extract ids.
{ "succeeded": true, "message": "Action done successfully"}Requesting the data extract ZIP file specification
Use GET to https://api.basware.com/v1/dataExtracts/specification/tableDefinition. You will get a specification of the content inside the extracted ZIP file.
Authentication and access rights
Authentication
Basware APIs support the following authentication types to authenticate API clients. You can choose the authentication type when requesting Basware to create your API user.
- Basic HTTP authentication
- OAUTH2 (client credentials flow)
All communication is secured using the HTTPS protocol (HTTP over TLS, TLS version 1.2 or later). You must make all API requests over HTTPS. API requests made without authentication will fail.
Using basic HTTP authentication
Basic HTTP authentication relies on passing username and password along with each API request. The username and password are encoded in the HTTP Authorization request header.
Using OAUTH2 authentication
Basware P2P APIs support the OAUTH2 client credentials flow. The client credentials flow works by first requesting an access token from a dedicated API endpoint /v1/tokens using a client ID and client secret (sent as Basic Auth header), then passing that token in subsequent API operations. This token is passed as a bearer token in the Authorization request header. You must specify the API operations permitted by the token when requesting the access token. Tokens have a limited validity time (default one hour), after which a new token needs to be requested. Token validity time can be specified while requesting the OAUTH2 credentials from Basware. The minimum validity time is five minutes and the maximum is 24 hours.
There is a separate swagger page for the APIs to retrieve OAUTH2 tokens. Most integration tools have built-in OAUTH2 support for both requesting an access token and using it in subsequent calls.
API operations permitted by an access token are called scopes. The scopes available are restricted by the access rights granted to API users. When returning the requested scopes Basware API will ignore any missing or misspelled scopes. Scopes must always be specified. For optimal security, it is recommended to request only the scopes necessary for each API operation during production use. Multiple scopes can be specified by separating them with a blank space.
Each scope in Basware API consists of API name + allowed operation. The following operations are available:
- 'read' operation grants access to GET operations.
- 'write' operation grants access to POST and PATCH operations.
- 'delete' operation grants access to DELETE operations.
Available scopes are listed below.
Scopes for the Data Extract API
- dataExtract.read
- dataExtract.write
Note that the scopes must be separated by a blank space. If you have copied and pasted multiple lines from the list above, remove the new line characters. The scope 'taskStatus.read' is necessary to check the status of long-running DELETE operations.
Make sure you have a mechanism to automatically fetch a new token when your existing token expires. This is especially important for long-running tasks, such as a large initial loads of matching orders, that may take more time than the maximum validity time of a token (24 hours). Basware API does not support refresh tokens. You must request a new token every time using client ID and client secret (same way as when getting the token for the first time).
API consumers can validate token signature using metadata from API endpoint:/.well-known/jwks.json. Each token returned by Basware API is signed by one of the public keys listed in the returned payload. The access tokens are returned as jwt tokens. Their contents can be viewed through jwt.io.
If you are currently using basic authentication and want to switch to using OAUTH2, you can request OAUTH2 authenticated API user credentials from Basware. You will receive new credentials. Your existing basic authentication API credentials will continue to work alongside the new OAUTH2 credentials. When you have completed the switch, request Basware to deactivate your previous API user credentials.
Access rights
API user access rights control what the user can do when interacting with Basware API. One user can be granted several kinds of access (read, write, delete) to several API endpoints. It is possible, for example, to have read access to AccountingDocuments and read+write access to Contracts on the same API user. You can request an API user with a combination of read/write/delete access to any of the APIs listed in this manual. If no restrictions are specified, the API users will have full access (read+write+delete) to all P2P APIs. Changes to API access rights will take effect within five minutes from making the change.
Available access rights are:
- 'read' grants access to GET operations.
- 'write' grants access to POST and PATCH operations.
- 'delete' grants access to DELETE operations.
For full access, all above rights mus be granted. Write alone does not grant access to GET operations and delete alone does not grant access to GET/POST/PATCH.
If the API user uses OAUTH2 for authentication, there are two levels of granting access. The first level is on the API user, specifying what access is granted overall for the user. The second level is controlled by the customer when requesting scopes on OAUTH2 access tokens. The scopes on the token determine which API operations are allowed when passing the token. If scopes are requested to API operations that are not granted to an API user, such scopes will not be granted through access tokens either.
Common scenarios where access restrictions are needed are:
- Restricting access for technical partners, who GET/POST data only to one API, such as Contracts.
- Restricting access for a reporting integration, which for example is only allowed to GET records.