Authentication

API requests are made via HTTPS to the endpoint:

https://www.esayworkmobile.co.uk/webapi2/api

The default response from this endpoint will provide some data about the instance. On premise solutions will receive data pertinent to your instance. This is a good way to ensure that you have a route to the API and that it is available.

This action will return a response without the session requiring authentication

Each request, however, that interacts with your account must include a valid bearer token inside the Authorization header of the HTTPS request. We have provided some examples of how to do this via C# and TypeScript.

Generating a bearer Token

The account section contains a method for login /api/Account/Authenticate and by supplying valid credentials a valid bearer token is returned. The provided token will be similar to the below:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJDdXN0b21lcklkIjoiMjgiLCJMb2dpbklkIjoiMTgwNCIsIlJvbGVzIjoiW3tcIk5hbWVcIjpcIkZvcm1zOiBEYXRhIEVkaXRvclwifSx7XCJOYW1lXCI6XCJGb3JtczogQXV0
byBSZXBvcnRcIn0se1wiTmFtZVwiOlwiRm9ybXM6IE1vYmlsZSBVc2VyIEdyaWQgVmlld1wifSx7XCJOYW1lXCI6XCJUb29sc1wifSx7XCJOYW1lXCI6XCJPcmlnaW5hbElEIEZlYXR1cmVcIn0se1wiTmFtZVwi
OlwiUHVyZ2UgRGF0YVwifSx7XCJOYW1lXCI6XCJMaWJyYXJ5XCJ9LHtcIk5hbWVcIjpcIk5vdGlmaWNhdGlvbiBIaXN0b3J5OiBWaWV3XCJ9LHtcIk5hbWVcIjpcIkFQSVwifSx7XCJOYW1lXCI6XCJNYW5hZ2UgV
XNlcnM6IEFkZCwgRWRpdCBhbmQgRGVsZXRlXCJ9LHtcIk5hbWVcIjpcIk1hbmFnZSBVc2VyczogVmlld1wifSx7XCJOYW1lXCI6XCJNZWRpYVwifSx7XCJOYW1lXCI6XCJVc2VyIEdyb3Vwc1wifSx7XCJOYW1l
XCI6XCJDcmVkaXRzOiBUcmFuc2FjdGlvbiBIaXN0b3J5XCJ9LHtcIk5hbWVcIjpcIlJlcG9ydHNcIn0se1wiTmFtZVwiOlwiTW9iaWxlIFVzZXJzOiBBZGQgdG8gR3JvdXBcIn0se1wiTmFtZVwiOlwiTW9iaWxlIFVzZ
XJzOiBWaWV3XCJ9LHtcIk5hbWVcIjpcIk1vYmlsZSBVc2VyczogQWRkLCBFZGl0IGFuZCBEZWxldGVcIn0se1wiTmFtZVwiOlwiSm9iczogSm9iIFR5cGUgQ3JlYXRlLCBFZGl0IGFuZCBEZWxldGVcIn0se1wiTm
FtZVwiOlwiSm9iczogSm9iIFR5cGUgVmlld1wifSx7XCJOYW1lXCI6XCJKb2JzOiBWaWV3XCJ9LHtcIk5hbWVcIjpcIkpvYnM6IEFsbG9jYXRlLCBEZWFsbG9jYXRlIGFuZCBDbG9zZVwifSx7XCJOYW1lXCI6XCJKb2Jz
OiBDcmVhdGUsIEVkaXQgYW5kIERlbGV0ZVwifSx7XCJOYW1lXCI6XCJGb3JtczogRm9ybSBEYXNoYm9hcmQgU2V0dGluZ3MgKFB1Ymxpc2gsIExvY2F0aW9uLCBEcmFmdHMgJiBBdXRvLXVwbG9hZClcIn0se1wiTmFtZVwiOlwiRm9ybXM6IE5vdGlmaWNhdGlvbnNcIn0se1wiTmFtZVwiOlwiRm9

This token must be provided in subsequent calls in the header. The example below illustrates how to return a set of forms that are visible to the user logged in to the account.

GET ...................api/Forms HTTP/1.1
Host: .....esayworkmobile.co.uk
Connection: keep-alive
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Microsoft Edge";v="96"
accept: */*
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJDdXN0b21lcklkIjoiMjgiLCJMb2dpbklkIjoiMTgwNCIsIlJ....
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
sec-ch-ua-platform: "Windows"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://dev3.esayworkmobile.co.uk/webapi2/swagger/index.html
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Bearer tokens have a built in expiry of 24 hours in WorkMobile which means that regular re-authentication is required. This is suitable where the interface is being consumed via an interactive UI but is more problematic when used within a scheduled job or other type of interface.

To avoid having to specify passwords in a file, the user has the option to create a portal user with suitable (and limited) access and then to associate a token (guid) with that account and provide access via that method.

To create an access token in WorkMobile, use the following section on the Logins page

Clicking on Generate will create a guid, which can then be copied to the clipboard by using the icon at the end of the display box.

Once you have the GUID, instead of providing a bearer token header in your call, you can supply a header named X-Api-Key and a value of the token copied from the above WorkMobile screen.

The API token will give you none-expiring access until you revoke or regenerate the token. You can add an optional description and click the update button to save the description without recreating the token.