Judge.me uses OAuth to let App Developers access its API. This system helps App Developers get permission from stores to create Apps using an API token. This way, you can make secure requests to Judge.me's API based on how stores behave.
In this guide, we'll show you how to set up OAuth in Judge.me step by step.
Note
We strongly recommend using OAuth for enhanced security during integration.
Request access only to the essential data to ensure proper verification and official promotion of your integration.
Step 1: Create an app in Judge.me
Visit judge.me/login and input your email address to log in as a reviewer.
Judge.me will send a "magic link" to your email. Follow the link to proceed with the login process.
After logging in, access this link to create a new app: https://judge.me/profile/apps/new
Complete the required fields and click Create.
App Name: Your app name
Redirect URI: The endpoint to receive authorization confirmation with the authorization code from Judge.me API (e.g., https://example.com/auth/judgeme/callback).
Logo URL: Direct link to your app's logo
Link to: Link to your app's homepage
After creating your app, click the "edit" icon to find the Client ID and Secret. You'll use these for authorization and getting an access token later on.
Step 2: Identify the scopes
Scopes define what your app can access, and stores control these permissions.
Request only the scopes you need for a higher chance of approval.
Here's a list of the Judge.me API scopes; make sure to use the correct names:
Default scopes | public |
Optional scopes | read_shops, write_shops, read_widgets, read_orders, write_orders, read_products, write_products, read_reviewers, write_reviewers, read_reviews, write_reviews, read_settings, write_settings |
Step 3: Build the authorization URL to redirect stores to Judge.me
Judge.me OAuth follows the OAuth 2.0 standard.
You can refer to any OAuth 2.0 guide for reference.
Construct an authorization URL to redirect stores to Judge.me.
This URL includes parameters identifying your app and defining the permissions (scopes) requested from the stores.
When stores click the authorization URL, your app redirects them to Judge.me. The URL loads the OAuth grant screen, requesting stores to authorize the specified scopes.
Authorization URL format
method=GET https://judge.me/oauth/authorize?client_id=[your_client_id]&redirect_uri=[your_redirect_uri]&response_type=code&scope=[list_of_permissions_you_are_asking]&state=[state]
Example of a real authorization URL
method=GET https://judge.me/oauth/authorize?client_id=e9aa17df97285cc93373ec809806c55452280b840985814d30b9fc71c3016252&redirect_uri=https://example_app.com/oauth_callback&response_type=code&scope=read_products%20write_products&state=806c55452280b840985814d30b9fc
Parameters in the authorization URL
client_id | Every connected app is identified by a client_id. You can find this value when editing your app in Judge.me. |
redirect_uri | redirect_uri is the endpoint that Judge.me will use to send authorization confirmation with the authorization code back to your app server. |
scope | scope is the list of permissions that your app requests the stores to approve. |
response_type | response_type will be set to code, indicating that the application expects to receive an authorization code if successful. |
state (optional) | You can send a random value as state when starting the authorization request and use it to validate the authorization code when receiving a response from Judge.me. |
Example of a callback from Judge.me with an authorization code to your app
Started GET "https://example.com/auth/judgeme/callback?code=32279746ee4db4312ca49ae627f043fbc3680f605c3603170e5a875f7afe2b1c"
Step 4: Exchange for a permanent access token
Next, exchange the authorization code for a permanent access token, allowing API calls within defined scopes. For this exchange, you'll need:
client_id (from step 1)
client_secret (from step 1)
code (from step 3)
redirect_uri (link to your app server)
The client_id and client_secret are what you have got from step 1 when creating an app. The code is what you get from step 3. The redirect_uri is the link to your app server.
curl --location --request POST 'https://judge.me/oauth/token' \--header 'Content-Type: application/json' \--data-raw '{ "client_id": "7ce4d77492c0ab540885601378e7442415b14e48b9865ab1bf5a9d548fa8eba8", "client_secret": "5f62a03e9ff7349b57aaade0b8d78f7603256bd97a347f6949424c1ade4383a2", "code": "32279746ee4db4312ca49ae627f043fbc3680f605c3603170e5a875f7afe2b1c", "redirect_uri": "http://example.com/auth/judgeme/callback", "state": "9f1c39b9a714771ccb331fb5742a57453fae7173a26329d0", "grant_type": "authorization_code"}'
An Illustration of a Judge.me Response:
{ "access_token": "39452ed283252c8ea2083faa9b371cc77e82c22471da921b8cd6db935e4ee37a", "token_type": "Bearer", "scope": "read_products write_products public", "created_at": 1646287086}
Upon getting this access token, you gain the ability to invoke pertinent APIs within the Judge.me platform:
curl --location --request GET 'https://judge.me/api/v1/products' \--header 'Content-Type: application/json' \--data-raw '{"api_token": "39452ed283252c8ea2083faa9b371cc77e82c22471da921b8cd6db935e4ee37a"}'
When you use APIs within your allowed scope, you can get the data you need. For example, if your scope includes the "read_products" API, you can get product information.
On the other hand, if you try to use APIs not in your scope, you'll get an error. For instance, if "read_reviews" isn't in your scope and you try to use it, you'll see an error message saying, "You can't access this resource."
If you need help setting up OAuth, contact our team at [email protected]. We're available to help 24/7!