Example 1

Problem: get the list of all REST methods available at

  • Assume the application sends the following requests:
    "CLIENT_ID" => 'First_APP',
    "CLIENT_SECRET" => 'secret_key',
    "TITLE" => 'Test app',
    "REDIRECT_URI" => '',
    "SCOPE" => array('user')
    • CLIENT_ID – the application ID;
    • CLIENT_SECRET – the secret key to sing requests;
    • TITLE – the application name;
    • REDIRECT_URI – the URL of a script that will receive and process the server response;
    • SCOPE - an array containing permissions available to the application.
  • Obtain the first key (Request token). The application will have to redirect a user to:

    • – the remote server address;
    • client_id – the application ID;
    • response_type – specifies the type of the response data (we want "code");
    • redirect_uri – specifies the encoded URL of your script that will receive and process the server response. The URL must be the same you provided when registering the application.

    If the user is not logged in, they will see the authentication form. If the user has been or is being authenticated, the server will redirect to REDIRECT_URI with the initial authentication token:

    • code– request token returned by the server (the token default lifetime is 30 sec).
  • The script looks at the code parameter and requests the second key (access token) by sending a GET request to: xxxxxxxxxxxxxxxxxxxxxxxxxxx&scope=user

    • – the remote server address;
    • client_id – the application ID;
    • grant_type – specifies the expected key type ("authorization_code");
    • client_secret – the application secret key;
    • redirect_uri – specifies the encoded URL of your script that will receive and process the server response (the same used when registering the application);
    • code – the request token obtained by the previous call;
    • scope – a list of permissions for the requested key.
  • The server will return the following data:
    • access_token – an access token provided by the server;
    • expires_in – lifespan of the access token (1 hour by default);
    • refresh_token – a special value to get the new access_token;
    • member_id – the unique Bitrix24 portal ID.
  • Now that we have the access token we can call REST API:

    • methods.json is a REST API factory method that returns a list of all available methods in JSON format.
    • auth – the access token returned by the server.
  • REST API factory will return the list, something like this:

Example 2

Problem: obtain the ID's of all task a current user planned for today.

  • To use the Tasks module, a registered application must be granted the appropriate permission (scope).
       	"CLIENT_ID" => 'Tasks_APP',
    	"CLIENT_SECRET" => 'very_secret_key',
    	"TITLE" => 'Task test app',
    	"REDIRECT_URI" => '',
    	"SCOPE" => array('task', 'user')
    • SCOPE – specifies permissions required by the application;
  • Get the first key (request token). Send a GET request to:

  • To return the result, the server will call a script at REDIRECT_URI:

  • The script reads the code parameter value and asks for the second key (access token) by sending another GET request: xxxxxxxxxxxxxxxxxxxxxxxxxxx&scope=user,task

  • Again, the server replies with the result by calling REDIRECT_URI:

    • expires_in – the access token lifetime, seconds;
    • refresh_token – the key to refresh the access token when lifetime has expired.
  • Now that we have access_token we can call REST API:

  • In response, we get the task ID's:
    [result] => Array ( [0] => 3 [1] => 4 )

    The access token can be used as many times as needed as long as it is alive. Once the access token has expired, the server will return an expired_token error. To get a new key, send the refresh token to the server:

    As before, the server will response by calling the script with the "access_token" parameter:

© «Bitrix24», 2001-2022