Authorization

The authorized request redirects users to the authorized endpoint of PingPong’s platform in order to grant permission for your application to access his account data. The user logs in with his PingPong credentials and authorized access. An Authorization Code for the user will be returned to the Redirect URI submitted when registering your application.

We use Oauth2 to associate user information with developers.

Concept description

1.code

The Authorization Code grants access to the user’s account data. The Authorization Code needs to be exchanged for an Access Token in order to provide the API with authorized access to information associated with the user’s Account Id. The code will expire after 30 minutes for for security reasons.

2.access_ token

Access token is the authorization identity of a user session that is valid for 30 days, making API calls on behalf of a user. After the code is obtained, it can be obtained by calling the open API; This token must be present in the Authorization HTTP header when making other API calls. Authorization code and refresh token cannot be used as the access certificate directly. Authorization code and refresh token need to be converted to access token before user accesses his privacy data.

3.refresh_token

Refresh token can be used instead of the Authorization Code when access token is about to expire. When access codes expire, 3rd open platform can send refresh token to PingPong in order to refresh the access token. After request, access token will be updated and the expire time of refresh token will be reset.

4.redirect_uri

The URI for redirection after the user grants or denies permission.

step1

Obtain authorization code through user authorization. Guide the user to access the following authorization URL through the browser, and the login page will pop up. The user can enter the authorization page by inputting the PingPong account and password and clicking the "SIGN IN" button, then by clicking "AUTHORIZE" button to finish the authorization process.

If user already has a PingPong account, user can enter the authorization page by sign in PingPong account. If not, user can click “Sign Up” button to register for a new PingPong account. After login user can click "AUTHORIZE" button to finish the authorization process.

After user finished the authorization process, user will be redirected to your redirect_uri. The redirect_uri contains the authorization code.

Enter PingPong system via the link below

Sandbox

https://test2-business.pingpongx.com/entrance/authorization?responseType=code&appId=80290263109341
&redirectUri=http%3A%2F%2Fwww.baidu.com%2Fcallback&state=123

Production

https://business.pingpongx.com/entrance/authorization?responseType=code&appId=55bad32597ef4ddbb66b0b9a94f69a53
&redirectUri=http%3A%2F%2Fwww.baidu.com&state=123

If the user accepts a request to grant access, redirect to the following URL.

https://www.example.com/callback?code=NApCCg..BkWtQ&state=xxx

Then you can exchange access_token through code and app_secret that PingPong provided for you.

Tips:

• The code is valid for 30 minutes. If it is not used for more than 30 minutes, need to be obtain again.
• Code can only be used once. After you use it, you need to get it again.

You will get the temporary token code when user agrees with the authorization.

Step2

Use the code and app_secret which obtained in the previous step, to exchange for access token. This process needs to have its own web server, can save the key and status of the application itself, and can directly access PingPong's authorization server through HTTPS.

1) Apply for access_token

• POST /v3/b2b/oauth/token

Request Sample

curl --location --request POST 'https://test2-business-cgi.pingpongx.com/v3/b2b/oauth/token' \
--header 'Content-Type: application/json' \
--data-raw '{
"app_id":"7520b823877841ac910e7af90d93eb99",
"app_secret":"eb42039964434a08828828be16ef454f4854343026a4466f869ac285f8c78a7b",
"grant_type":"authorization_code",
"code":"3242323AQEQEW"
}'

Request Schema

Response Sample

{
  "code": 0,
  "message": "OK",
  "data": {
    "access_token": "AAIkOWRk...I1HS8rAd",
    "open_id": "MC27502480644374528",
    "expires_in": 2592000,
    "refresh_token": "AAKpFgGj...nId26WIJgY",
    "refresh_token_expires_in": 15552000
  }
}

Response Schema

2) Apply for access token through refresh_token

If the refresh_token is valid and the access_token has expired, you can use refresh_ token apply for access_token. There is no need to reauthorize.

• POST /v3/b2b/oauth/token

Request Sample

curl --location --request POST 'https://test2-business-cgi.pingpongx.com/v3/b2b/oauth/token' \
--header 'Content-Type: application/json' \
--data-raw '{
"app_id":"7520b823877841ac910e7af90d93eb99",
"app_secret":"eb42039964434a08828828be16ef454f4854343026a4466f869ac285f8c78a7b",
"grant_type":"refresh_token",
"refresh_token":"b942039964434a08828828be16ef454f4854343026a4466f869ac285f8c78a02",
}'

Request Schema

Response Sample

{
  "code": 0,
  "message": "OK",
  "data": {
    "access_token": "AAIkOWRk...I1HS8rAd",
    "open_id": "MC27502480644374528",
    "expires_in": 2592000,
    "refresh_token": "AAKpFgGj...nId26WIJgY",
    "refresh_token_expires_in": 15552000
  }

Response Schema

Step3

call API with access_token

Use access_token to call PingPong's api ensures the security of the message between you and PingPong.