API without authentication

**Kharg** · 01-20-2023, 03:49 PM

you could create a custom controller with a noauth parameter in the route.

Controller & routing - EspoCRM Documentation

https://docs.espocrm.com/development/frontend/controller/#custom-controller

**bandtank** · 01-20-2023, 04:08 PM

Originally posted by Kharg

you could create a custom controller with a noauth parameter in the route.

Controller & routing - EspoCRM Documentation

https://docs.espocrm.com/development/frontend/controller/#custom-controller

Thanks. That sounds like exactly what I want to do. How do you specify the 'noauth' parameter? It isn't in the documentation as far as I can tell. Are you saying the parameter is defined in the controller, request header, both, or somewhere else?

**murray99** · 01-20-2023, 04:19 PM

In the routes.json like this
[
{
"route":"/actionbuttons/test",
"method":"post",
"params":{
"controller":"ActionButtonsController",
"action":"test"
},
"noAuth":true
}
]

**bandtank** · 01-20-2023, 04:21 PM

Originally posted by murray99

In the routes.json like this
[
{
"route":"/actionbuttons/test",
"method":"post",
"params":{
"controller":"ActionButtonsController",
"action":"test"
},
"noAuth":true
}
]

Interesting. Thanks. I have never used that file and it has never been a problem, which is confusing. I add php files into custom/Espo/Custom/Controllers and the routes are automatically available.

Edit: It seems like the routes.json file is only for front end routing. I should clarify that I am talking about back end routing.

**bandtank** · 01-20-2023, 04:57 PM

Your advice lead me to this page, which shows the implementation information: API actions - EspoCRM Documentation

Thanks again for your help.

**Kharg** · 01-20-2023, 09:39 PM

Glad you found a solution for your problem!

**jflores** · 01-21-2023, 09:35 PM

bandtank (or anyone else who visits this post) In case this is helpful, we configured our install to be able to receive an API request that functions more like "LeadCapture" and less like a formal API request with Basic Auth (or similar).

Our use case was for a 'free trial' we were offering. The trial was initiated from Cognito Forms via a Webhook.

So we created a custom controller ("CognitoForm.php") and it has this code in it:

Code:

/* Up here is all the class code, constructor, and dependences. Below is just one function */

public function postActionFreeTrial($params,$data,$response)
  {
    if (empty($params['apiKey'])) throw new BadRequest('No API key provided.');
    if (empty($data)) throw new BadRequest('No payload provided.');

    $allowOrigin = $this->getConfig()->get('leadCaptureAllowOrigin', '*');
    $response->headers->set('Access-Control-Allow-Origin', $allowOrigin);

    $apiKey = $params['apiKey'];
    $validKey = $this->getServiceFactory()->create('LeadCapture')->isApiKeyValid($apiKey);

    if ($validKey) {
      $lead = $this->getServiceFactory()->create('Lead')->cognitoFreeTrialLead($data, $apiKey);
     return $lead;
    } else {
      return 'This is not a valid API Key! Make sure you have the right environment and it\'s active!';
   }
}

Here, we generate a key using the Entry Point provided by the LeadCapture functionality already provided out of the box.

Then, in our routes.json file (custom/Espo/Custom/Resources/routes.json)

Code:

[
  {
    "route": "/CognitoForm/:action/:apiKey",
    "method": "post",
    "params": {
    "controller": "CognitoForm",
    "action": ":action",
    "apiKey": ":apiKey"
  },
  "conditions": {
    "auth": false
    }
  }
]

In this case, ":action" is a variable as we have multiple actions going to that controller and we didn't want to have to write a new route everytime we wanted a new entry point.

To access, we send a POST request from CognitoForms:

Code:

POST: https://{espocrm-domain.com}/api/v1/CognitoForm/freeTrial/{apiKeyGeneratedInLeadCaptureAdminPanel}

where "CognitoForm" is the name of the controller, "freeTrial" the action, and the "apiKey" a key generated using the "LeadCapture" function from the administration interface.

Anyways, hope this is helpful to someone!

API without authentication

API without authentication

Comment

Comment

Comment

Comment

Comment

Comment

Comment