The EXO API can be used on premise or online via the LiveRelay. We've worked really hard to keep things simple and in both instances authentication is the same and simply requires three headers to be included in each request. The first is the EXO Token which is generated via the EXO Business application, the second is the encoded username and password of the user and the last is the developer key which is generated for the application via developer.myob.com.
These access tokens need to be present in the header of each request and is used to identify the application, system to connect to, user details and device information. Any request without these token will be refused access.
|Basic [Base64Encode(username:password)]||Base 64 encoded username and password of the user.|
|[dev_key]||the developer key identifying the application|
|[access_token]||the access token that identifies the user, system, device etc as configured in EXO Business|
An example of this could look like:
Authorization: Basic RXhvQWRtaW46RXhvQW!288H1 x-myobapi-key: ABCta353c5R6YXRvcjo= x-myobapi-exotoken: 123AA353c5R6YXRsTAQ18*%
Before staring work on a new app, or making your existing app work with the EXO API, you first need to register your app and receive an API key, and an API secret. These are used when authenticating your application and are set in the headers for all calls to the API.
Each person using the API will need to obtain a EXO Token which identifies the system, user, device and permissions to use. This token is generated in using the EXO Config application (versions 8.7+) or using the EXO Mobile Config application packaged in the API installation (versions < 8.7)
MYOB EXO Business licences are renewed annually. Since the expiry date of access tokens is based on expiry date of the EXO API and EXO Mobile modules, the tokens become invalid after a year and must be refreshed. A call to the
token endpoint automatically refreshes the token used in the call and returns the refreshed token as a string.
Along with the EXO Token you need to provide a Base64Encoded username and password. This is validated on each request.