The TruckDown.com API provides access to TruckDown.com services and features through a standard REST application interface. Using the API, external applications can perform location searches, view user information and preference data, and view and manage user specific ratings, notes, preferences, and repair data.
The TruckDown.com API supports OAuth 2.0 authentication for web applications (see OAuth 2.0 for Web Applications) or for applications or devices that have limited input capabilities (see OAuth 2.0 for Devices).
This document outlines the various methods to authenticate to the TruckDown.com API and defines the API available.
Like all OAuth 2.0 scenarios, you first need to register your application with TruckDown through your account services at https://www.truckdown.com/account/services. In order to register your application, you must log in to www.truckdown.com and have a TruckDown Ace Membership. For more information on TruckDown Ace Membership benefits, click here.
To register your application, click on the “Services” section. Under “API Applications”, click on the “Add new API application” link. You will be asked to enter a name for your application, a status (Private, Semi-Private, or Public), and you can optionally enter a Url End Point. (Note: the Url End Point is required for OAuth 2.0 for Web Applications – this is the Url that TruckDown will redirect users to after they have granted access to your application).
The statuses have the following meanings:
Once you have saved your application, your application will be listed in your API Applications list along with an API Key and an API Secret. The API Key can be shared but the API Secret should be kept secret within your application.
In order to authenticate a user within a web application, you application can redirect the user’s browser to a TruckDown URL with a set of query parameters that indicates the type of access TruckDown API access the application requires. TruckDown handles the user authentication and consent, and returns an authorization code to your application through another URL redirect.
Your application can then use that authorization code to obtain an Access Token and a Refresh Token. The Access Token is a time limited token that can be used to grant your application access to the TruckDown API on the user’s behalf while the refresh token can be used to renew the access token as required.
The URL used when authenticating a user is https://www.truckdown.com/oauth2/auth. The endpoint is only accessible over SSL, any connection attempt over HTTP will be refused.
The query string parameters to include in the request are:
An example request url is shown below:
When the user is directed to the request url, they will be asked to log in to TruckDown if they are not already and then will be shown a consent screen.
Once the user clicks on either button, they will be redirected back to the redirect_url with the appropriate response.
The response will be sent to the redirect_url as specified in the request. If the user approves the access request, then the response contains the state parameter and an authorization code. If the user does not approve the request then the response contains the state parameter and an error message.
For example:
An error response:
An Authorization Code response:
After the web server receives the authorization code, it may exchange the authorization code for an access token and a refresh token.
The request for an access token is an HTTPS POST to
with the following parameters:
NOTE: the api_key must be sent as both a query string parameter (key) and in the POST parameter (api_key). If the query string parameter is omitted or invalid then TruckDown will return an Unauthorized response (401).
A successful response is returned as a JSON object with the following fields:
An example response object would be similar to:
{
access_token: “WVPnLc3CcpQjguyJMYucsOSJ5wOe/G5q”,
refresh_token: “TSdph4Z14Lmo9CFa8ovIxe4/84R5jtcjtcYcl1wr6fDmbPgU+HuvqMs7BNV/a0sn”,
expires_in: 3600,
token_type: “Bearer”
}
Additional fields may be returned in the response so your application should allow additional fields.
Note: It is important to store the refresh token for future use. If you application loses the refresh token, it will have to obtain a new one through the initial authorization request process.
After your application has obtained an access token, your application can access a TruckDown API by including it in an Authorization: Bearer HTTP header.
When you obtain an access_token, that token will expire after a set number of seconds (as defined by the expires_in parameter). Prior to the access_token expiring, you can use the refresh_token value to obtain a new access_token to ensure continued access.
NOTE: the api_key must be sent as both a query string parameter (key) and in the POST parameter (api_key). If the query string parameter is omitted or invalid then TruckDown will return an Unauthorized response (401).
A successful response is returned as a JSON object with the following fields:
An example response object would be similar to:
{
access_token: “WVPnLc3CcpQjguyJMYucsOSJ5wOe/G5q”,
refresh_token: “TSdph4Z14Lmo9CFa8ovIxe4/84R5jtcjtcYcl1wr6fDmbPgU+HuvqMs7BNV/a0sn”,
expires_in: 3600,
token_type: “Bearer”
}
Additional fields may be returned in the response so your application should allow additional fields. The value of the refresh_token field will be the same as the value submitted.
Applications that do not have the same capabilities as a web server (such as GPS devices) may access an API on behalf of a user, but the user must have separate access to a computer or device with an integrated web browser. The user will interact with the device to obtain an URL and a code, switch to another device or computer to launch a web browser, navigate to the URL and authenticate the code provided.
In order to obtain a user code for authorization, you application must make an HTTP POST Request to https://www.truckdown.com/apiv2/oauth2/code?key=[api_key]. The endpoint is only accessible over SSL, any connection attempt over HTTP will be refused.
The fields to include in the request are:
NOTE: the api_key must be sent as both a query string parameter (key) and in the POST parameter (api_key). If the query string parameter is omitted or invalid then TruckDown will return an Unauthorized response (401).
A successful response is returned as a JSON object with the following fields:
An example response object would be similar to:
{
verification_url: “https://www.truckdown.com/code”,
device_code: "kuFIyJbY1fE2Peq4rt8A1/xlrGnS+zmz/3Bkq03PI4gMBaUTfdBYJGI1kl9/Q/dC",
refresh_token: "m78CHQEj",
expires_in: 3600,
interval: 5
}
Additional fields may be returned in the response so your application should allow additional fields.
The verification_url and the user_code from the JSON object should be shown to your user. The idea is to ask your user to go to a browser, navigate to the verification_url, and enter the user_code. The user_code is case sensitive so the user will have to enter it exactly as it is returned in the JSON object.
When a user navigates to the URL, they will be asked to log in (if they are not already logged in) and then will see a page similar to the following:
After they enter the code, they will be shown a consent screen.
If the user clicks “Allow Access”, then your application can obtain an access and refresh token that will grant your application access to the TruckDown APIs. Like all OAuth 2.0 scenarios, the scope parameter controls the access your application has to a TruckDown API.
After your application has shown the user_code and verification_url, your application may begin polling a TruckDown end point with the device_code that was returned in your last request.
The request for an access token is an HTTPS POST to https://www.truckdown.com/apiv2/oauth2/token?key=[api_key] with the following parameters:
NOTE: the api_key must be sent as both a query string parameter (key) and in the POST parameter (api_key). If the query string parameter is omitted or invalid then TruckDown will return an Unauthorized response (401).
A successful response is returned as a JSON object with the following fields:
An example response object would be similar to:
{
access_token: “WVPnLc3CcpQjguyJMYucsOSJ5wOe/G5q”,
refresh_token: “TSdph4Z14Lmo9CFa8ovIxe4/84R5jtcjtcYcl1wr6fDmbPgU+HuvqMs7BNV/a0sn”,
expires_in: 3600,
token_type: “Bearer”
}
Additional fields may be returned in the response so your application should allow additional fields.
Note: It is important to store the refresh token for future use. If you application loses the refresh token, it will have to obtain a new one through the initial authorization request process.
For example, a call to the TruckDown API to get the user’s basic information looks like the following:
When you obtain an access_token, that token will expire after a set number of seconds (as defined by the expires_in parameter). Prior to the access_token expiring, you can use the refresh_token value to obtain a new access_token to ensure continued access.
The request for a new access token is an HTTPS POST to https://www.truckdown.com/apiv2/oauth2/token?key=[api_key] with the following parameters:
NOTE: the api_key must be sent as both a query string parameter (key) and in the POST parameter (api_key). If the query string parameter is omitted or invalid then TruckDown will return an Unauthorized response (401).
A successful response is returned as a JSON object with the following fields:
An example response object would be similar to:
{
access_token: “WVPnLc3CcpQjguyJMYucsOSJ5wOe/G5q”,
refresh_token: “TSdph4Z14Lmo9CFa8ovIxe4/84R5jtcjtcYcl1wr6fDmbPgU+HuvqMs7BNV/a0sn”,
expires_in: 3600,
token_type: “Bearer”
}
Additional fields may be returned in the response so your application should allow additional fields. The value of the refresh_token field will be the same as the value submitted.
The list of possible Scope values will change over time as new API features are added or enhanced. The current list included:
At any point in time, a user can revoke access to your application through their Account Services on TruckDown.com. If this occurs, then any Access Tokens or Refresh Tokens you have will be refused and any API requests made will return an Unauthorized (401) response.
If your access has been revoked, the only option is to have the user grant access again through one of the mechanisms outlined previously.