Backend to backend communication

Plug-ins may need a way to send API requests to a Haiilo backend, for instance to send notifications to users. For this an OAuth 2 access token is required. A plug-in requests an access token via the manifest and in return it will receive an 'access_token' event via a web-hook callback right after the 'install' lifecycle event or after a manifest update with a transition to having such a section where it previously hadn't.

Currently these access tokens are limited in their permissions as follows:

  • client-based: no user id is linked to the token
  • scopes: the token only gives access to a sub-set of the Haiilo API

The 'access_token' event will contain all data that is needed to get an OAuth 2 access token via the well-known OAuth 2 token endpoint. Standard libraries may be used to handle a correct OAuth 2 protocol, including token refreshes.