API problems

Hi Mondo!

I’m writing a client library for your API in Golang, more for a learning experience than anything. However, after creating a secret key in the developer tools section, it says ‘status pending’. When I try to authenticate using the password grant, I get

{"error":"unauthorized_client","error_description":"Client does not have permission to use the requested grant","message":"Client does not have permission to use the requested grant"}

Any ideas?

Password grants are (for good reason) completely off the table for most OAuth clients. Implement three-legged authorization instead.

You shouldn’t be handling the user’s Mondo credentials - that’s the whole point of OAuth :slight_smile:

1 Like

Hi! As @billinghamj mentioned, for your client you should be using the Authorization code grant which allows Mondo users to grant permissions to your application (and crucially revoke access) rather than requiring them to give you their password.

We originally added the password grant for ease of use for developers as we developed the API and moved to support OAuth 2, however we’ll be removing it fairly soon now the Authorization code grant is fully up and running.

A client with PENDING status in the developer tools means that you (the owner of a client) can authorise access to your own Mondo account for this client, but no other Mondo user can authorise their accounts - this is essentially a development mode for your application, and allows you to test it properly!

Once you’re happy with this we can also whitelist a few additional Mondo users (eg. friends / coworkers) to allow them to also authorise your client to access their accounts and test out your application, but we can’t currently grant all Mondo users access. There are a few privacy and security concerns, so this is something we’re very carefully considering - there’s a bit more info in our blog post here: https://getmondo.co.uk/blog/2016/02/03/mondo-api/

Hope that helps! :grinning:

2 Likes