How to authenticate for fully automated rest API usage?

  • 12 March 2024
  • 3 replies

Badge +1

I am having trouble understanding how to authenticate my app to use the REST API with my specific use case. A high level overview of what I need my app to do is as follows:

  1. Read existing boards
  2. Compare items on the boards to data within a data warehouse
  3. Create board items to represent specific data in the data warehouse (if they don’t already exist)

This would be executed by a script and run on a schedule, so no human user would be involved. 

What I am not understanding is Step 2 of the “Authorization flow for expiring tokens”: “Request user for authorization”.

How does this work since there will be no user? Is there another way to receive an authorization code or a way to get an access token without one? 

I am a business analyst, not a developer, so explaining it like I’m five is much appreciated!

Thanks in advance!

3 replies

Userlevel 3

Hi @Chris Prosser 

This is a great question, thank you for providing all of this context! 

Even though there is no user interaction or UI, the app will still need to be installed on a team. This will be step 3 in this guide. That is when you will get your access token, and then you will need to implement a mechanism to exchange expiring tokens. We have some app examples which show how to do this here. 

So even while there will be no “users” for this app, you will still need to install it once on a team in order to gain the access token to be able to perform things such as read existing boards (only the boards which are on the team which you installed the app).

Let me know if you have further questions! 


Badge +1

Okay, I think I am understanding this now. It looks like I needed to essentially skip steps 1-4 in the documentation ( and go straight to step 5. The documentation says the previous steps are prerequisites but I think in this case they are not.

It looks like my flow will be something like this:

  1. Store refresh token in Azure Key Vault as secret
  2. Script requests refresh token from Key Vault and uses it to request access token (
  3. Script updates azure key vault with new refresh token that was returned
  4. Script uses access token that was returned to call API

Thanks for the help, Horea!

Userlevel 3

Yes - since you will not need to create different access tokens for different users, then in this case I believe you can skip steps 1-3 here. The docs are assuming you will need to create different access tokens for different users (i.e. each access token will act on the behalf of a certain Miro user) but in this case, since you will only plan to use one token (i.e. essentially no users) then you can skip those steps and only focus on the steps for using the access token for API calls and just checking to make sure the token is not expired (i.e. step 4 and step 5). 

I’ll look into updating the docs to make this more clear. 

Hope this helps and please don’t hesitate if you have any other questions! Good luck with the automation!