Authentication

SurveyMonkey Apply Connect uses OAuth 2.0 to authenticate your application.

New to OAuth 2.0? You can read more about it here.

Getting your credentials

As an administrator:

  1. Click on your settings icon on the top of the page
  2. Select Integrations
  3. Click on Configure in the Apply Connect box
  4. Click on “Generate new credentials”

You now have an access token, a refresh token, a client ID, and a client secret. These credentials are tied uniquely to your user account and to your site, anyone who has them can authenticate themselves as you through the API – so make sure you keep them secret!

If at any time you feel that your API credentials may have been compromised, you can generate a new set which will immediately erase and invalidate the existing ones. Make sure that you update any applications that depend on these credentials if you do make a change, otherwise, they will no longer be able to communicate with our API.

Authenticate a request

For your request to be authenticated, the access token you received from the /admin/developer/ page needs to be added to the header of every request for resources that you send us.

If you’re making a curl request, it would look something like this:

curl -H "Authorization: Bearer <ACCESS_TOKEN>" <YOUR_SITE>/api/

If ever you receive a 401 error after sending a request, then either you have a typo in your site URL or your access token is invalid. You can check the admin developer dashboard to make sure that it hasn’t expired.

Refreshing a token

POST /api/o/token/

Access tokens last two hours from the moment they were generated, after which they can no longer be used to authenticate requests. To generate a new one, simply make a POST request to the above url with your client ID, client secret, and refresh token.:

curl <YOUR_SITE>/api/o/token/
        -d "grant_type=refresh_token\
                &client_id=<CLIENT_ID>\
                &client_secret=<CLIENT_SECRET>\
                &refresh_token=<REFRESH_TOKEN>"

If you supplied the correct credentials, you will get a response of the form:

{
        "access_token": "<YOUR_NEW_ACCESS_TOKEN>",
        "expires_in": 7200,
        "refresh_token": "<YOUR_NEW_REFRESH_TOKEN>",
        "scope": "",
        "token_type": "Bearer"
}

And that’s it! You can start using your new access token to authenticate requests until it expires. The new values can also be seen from the admin developer dashboard. Note that the client ID and client secret remain the same when you refresh your tokens.

Deleting tokens

If at any time you wish to delete your tokens, you can generate new ones in the developer dashboard in your site.

To ensure that the token you would like to delete is associated with your account, we require that you authenticate at this endpoint with your client credentials. For example, to delete a refresh token the following request could be made:

curl -X POST -d '{"client_id": <CLIENT_ID>, \
        "client_secret": <CLIENT_SECRET>, \
        "token": <TOKEN>, \
        "token_hint": "refresh"}' \
        <YOUR_SITE>/api/o/revoke_token/