Skip to main content
Setting up OAuth
Updated over 8 months ago

Judge.me uses OAuth to let App Developers access its API. This system helps App Developers get permission from stores to create Apps using an API token. This way, you can make secure requests to Judge.me's API based on how stores behave.

In this guide, we'll show you how to set up OAuth in Judge.me step by step.

Note

  • We strongly recommend using OAuth for enhanced security during integration.

  • Request access only to the essential data to ensure proper verification and official promotion of your integration.

Step 1: Create an app in Judge.me

  • Visit judge.me/login and input your email address to log in as a reviewer.

  • Judge.me will send a "magic link" to your email. Follow the link to proceed with the login process.

App Name: Your app name

Redirect URI: The endpoint to receive authorization confirmation with the authorization code from Judge.me API (e.g., https://example.com/auth/judgeme/callback).

Logo URL: Direct link to your app's logo

Link to: Link to your app's homepage

After creating your app, click the "edit" icon to find the Client ID and Secret. You'll use these for authorization and getting an access token later on.

Step 2: Identify the scopes

  • Scopes define what your app can access, and stores control these permissions.

  • Request only the scopes you need for a higher chance of approval.

  • Here's a list of the Judge.me API scopes; make sure to use the correct names:

Default scopes

public

Optional scopes

read_shops, write_shops,

read_widgets,

read_orders, write_orders,

read_products, write_products,

read_reviewers, write_reviewers,

read_reviews, write_reviews,

read_settings, write_settings

Step 3: Build the authorization URL to redirect stores to Judge.me

  • Judge.me OAuth follows the OAuth 2.0 standard.

  • You can refer to any OAuth 2.0 guide for reference.

  • Construct an authorization URL to redirect stores to Judge.me.

  • This URL includes parameters identifying your app and defining the permissions (scopes) requested from the stores.

When stores click the authorization URL, your app redirects them to Judge.me. The URL loads the OAuth grant screen, requesting stores to authorize the specified scopes.

Authorization URL format

method=GET https://judge.me/oauth/authorize?client_id=[your_client_id]&redirect_uri=[your_redirect_uri]&response_type=code&scope=[list_of_permissions_you_are_asking]&state=[state]

Example of a real authorization URL

method=GET https://judge.me/oauth/authorize?client_id=e9aa17df97285cc93373ec809806c55452280b840985814d30b9fc71c3016252&redirect_uri=https://example_app.com/oauth_callback&response_type=code&scope=read_products%20write_products&state=806c55452280b840985814d30b9fc

Parameters in the authorization URL

client_id

Every connected app is identified by a client_id. You can find this value when editing your app in Judge.me.

redirect_uri

redirect_uri is the endpoint that Judge.me will use to send authorization confirmation with the authorization code back to your app server.

scope

scope is the list of permissions that your app requests the stores to approve.

response_type

response_type will be set to code, indicating that the application expects to receive an authorization code if successful.

state (optional)

You can send a random value as state when starting the authorization request and use it to validate the authorization code when receiving a response from Judge.me.

Example of a callback from Judge.me with an authorization code to your app

Started GET "https://example.com/auth/judgeme/callback?code=32279746ee4db4312ca49ae627f043fbc3680f605c3603170e5a875f7afe2b1c"

Step 4: Exchange for a permanent access token

Next, exchange the authorization code for a permanent access token, allowing API calls within defined scopes. For this exchange, you'll need:

  • client_id (from step 1)

  • client_secret (from step 1)

  • code (from step 3)

  • redirect_uri (link to your app server)

The client_id and client_secret are what you have got from step 1 when creating an app. The code is what you get from step 3. The redirect_uri is the link to your app server.

curl --location --request POST 'https://judge.me/oauth/token' \--header 'Content-Type: application/json' \--data-raw '{ "client_id": "7ce4d77492c0ab540885601378e7442415b14e48b9865ab1bf5a9d548fa8eba8", "client_secret": "5f62a03e9ff7349b57aaade0b8d78f7603256bd97a347f6949424c1ade4383a2", "code": "32279746ee4db4312ca49ae627f043fbc3680f605c3603170e5a875f7afe2b1c", "redirect_uri": "http://example.com/auth/judgeme/callback", "state": "9f1c39b9a714771ccb331fb5742a57453fae7173a26329d0", "grant_type": "authorization_code"}'

An Illustration of a Judge.me Response:

{ "access_token": "39452ed283252c8ea2083faa9b371cc77e82c22471da921b8cd6db935e4ee37a", "token_type": "Bearer", "scope": "read_products write_products public", "created_at": 1646287086}

Upon getting this access token, you gain the ability to invoke pertinent APIs within the Judge.me platform:

curl --location --request GET 'https://judge.me/api/v1/products' \--header 'Content-Type: application/json' \--data-raw '{"api_token": "39452ed283252c8ea2083faa9b371cc77e82c22471da921b8cd6db935e4ee37a"}'

When you use APIs within your allowed scope, you can get the data you need. For example, if your scope includes the "read_products" API, you can get product information.

On the other hand, if you try to use APIs not in your scope, you'll get an error. For instance, if "read_reviews" isn't in your scope and you try to use it, you'll see an error message saying, "You can't access this resource."

If you need help setting up OAuth, contact our team at [email protected]. We're available to help 24/7!

Did this answer your question?