Using Smartsheet API to Access User Data Outside of My Own Account
Hello,
I would like to build an OAuth integration with Smartsheet that would allow me to access data from users whose Smartsheet accounts are different from my own Smartsheet account. Is this possible with the Smartsheet API?
Thanks,
Farhana
Answers
-
You would need to be shared to whatever you are attempting to pull from. Think of the API token as log-in credentials. If you are using a token that you generated from your account, it will only have access to what you have access to.
-
@Paul Newcome Thanks a lot for your response. So just to clarify, I would have to ask my users to share their API token with me? Also, if my users are on an Enterprise plan, but I am on a Business plan, will I still be able to access their Smartsheet accounts using OAuth?
-
Either they will need to provide their token or they will need to share you to the Smartsheet items and you can use your own token.
-
The Smartsheet API does in allow you to act on behalf of other users. However, you can not do this via just OAuth, this requires the use of a API Access Token from an Admin Users account that you generate via the web.
Smartsheet -> Personal Settings -> API Access
So In your case, you would authenticate the user to your application via OAuth, but for any data outside the the users direct access, you would make requests using an Admin's API Token.
It looks like the current Smartsheet API documentation does not go into details about how to do this. They only mention it can be done without details:
https://smartsheet.redoc.ly/#section/API-Basics/Assume-User
I think I learned how to do this via the old 1.0 API documentation. Here is an example of a function using the Javascript SDK that gets a sheet.
const client = require('smartsheet') const apiKey = "ADMIN_USERS_API_KEY" const sheetOwner = "betty@example.com" const sheetId = "1234567890" const smartsheet = client.createClient({ accessToken: apiKey }) async function getSheet(sheetId, owner) { // get the meta data for the sheets columns as a the owner of the sheet // owner: email address of the sheet's owner const options = { assumeUser: `${owner}`, id: sheetId, queryParameters: { include: "discussions,attachments,columnType,crossSheetReferences,filterDefinitions,filters,format,ganttConfig,objectValue,ownerInfo,rowPermalink,rowWriterInfo,summary,writerInfo", includeAll: true } } const response = await smartsheet.sheets.getSheet(options) return response } let sheetInfo = getSheet(sheetId, sheetOwner)So the two big requirements are:
- creating a smartsheet object using the API key from an ADMIN account
- passing the 'assumeUser' parameter with the email address of the account you want to impersonate
I will post a separate request for better API documentation
-
@Lee Joramo thanks for your response. if the admin user authorizes my app via OAuth and i get the admin user's access token from that, can't I just use that access token to generate sheets/access their data in their Smartsheet account? or would I still need to get the admin's API key separately?
-
I almost certain you need an Admin's API key. This is the only way I have done this.
As I understand it, even an Admin user can't use the 'assumeUser' parameter using the security context provided by a OAuth session.
-
@Lee Joramo Thanks again for the response. This seems a bit troublesome; I doubt users will be comfortable sharing their Admin's API key. OAuth provides a pretty standard and secure way of sharing a scope-limited access token for a user, which I think most users would be fine with, but manually sharing API keys I think would raise questions and seem dangerous.
-
The Admin API key is only saved in your web app server side and is never seen by the users.
In my organization, we have actually dedicated one admin account to dealing with API access and is not used as an end user account.
Additionally, I was assuming that this was for access to sheet data that is was not possible or desirable to share to users via the normal Smartsheet sharing. If you can have sheet owners/admins share a sheet the the needed users via normal means via the shartsheet website, then my suggestions for using 'assumeUser' via the API are not needed.
