Getting Started

This page will help you get started with the BetterLesson API.

In order to access the BetterLesson API endpoints, clients will need to get an authorization code. This code should be then used to retrieve an access token and a refresh token. Client will be able to use the access token to access all endpoints until the token expires, at which point, clients will need to use the refresh token to get a new access token to continue to have access to the API endpoints. All these steps are explained in detail below.

Retrieving the Authorization Code

The URL used when authenticating a user is https://api.betterlesson.com/oauth2/auth. This endpoint is accessible over SSL. Non-secure HTTP connections are refused.

EndpointDescription
https://api.betterlesson.com/oauth2/authThis endpoint is the target of the initial request. It will return an authorization code for the client_id provided, and it can also authenticate users and get their consent. The result of requests to this endpoint will be authorization codes.

The set of query string parameters supported are:

ParametersValuesDescription
client_idThe client ID you obtain from BetterLesson.Identifies the client that is making the request.
access_typepublic (default) or
private
Determine if the client can access the grantor’s private data.

An example URL is shown below:

https://api.betterlesson.com/oauth2/auth?client_id=dio32fiocg09j4g

If the access_type requested is public, the authorization code or any error messages will be in the response to the /oauth2/auth endpoint request.

An example response for a 'public' access_type:

{
   "code":"1/sdiojvaerjq3jf34verveoioijnw"
}

If, however, the access_type requested is private, the authorization request or any error messages will be sent to the redirect_uri set when your client credentials were created. You may change this uri by contacting BetterLesson support. All responses are returned to the web server on the query string, as shown below:

An example response for a 'private' access_type:

https://demo.app.com/code?code=1%2Favoi49joqierjv9q0483uf

Authorization codes expire in 10 minutes. Make sure to retrieve your access token before the expiration.

Retrieving an Access Token

After the client receives the authorization code, it may exchange the authorization code for an access token and a refresh token. This request is an HTTPS POST, and includes the following parameters:

FieldDescription
codeThe authorization code returned from the initial request.
client_idThe client ID obtained from BetterLesson.
client_secretThe client secret obtained from BetterLesson.
grant_typeAs defined in the OAuth 2.0 specification, this field must contain a value of ‘authorization_code’.

The actual request might look like the following:

POST /oauth2/token HTTP/1.1
Host: api.betterlesson.com
Content-Type: application/x-www-form-urlencoded
 
code=1%2Favoi49joqierjv9q0483uf&client_id=do32fiocg09j4g&client_secret{client_secret}&grant_type=authorization_code

A successful response to this request contains the following fields:

FieldDescription
access_tokenThe token that can be sent to a BetterLesson API endpoint.
refresh_tokenA token that may be used to obtain a new access token. Refresh tokens are always valid for public access, and for private access they are valid until the user revokes access.
expiresUTC timestamp of when the access_token will expire.

A successful response is returned as a JSON array, similar to the following:

{
   "access_token":"1/fFAGRNJru1FTz70BzhT3Zg",
   "refresh_token":"1/ijoiwejqpeorjv209u3jp32EWCe9",
   "expires": <datetime>
}

Access tokens expire one week after being issued. Make sure to use the refresh token to retrieve a new token upon expiration.

Calling a BetterLesson API Endpoint

After your application obtains an access token, you can use the token to make calls to a BetterLesson API endpoint. To do this, include the access token in a request to the API by including either an access_token query parameter or an Authorization: Bearer HTTP header. When possible, the HTTP header is preferable, because query strings tend to be visible in server logs.

Examples

A call to the search endpoint using the access_token query string parameter might look like the following, though you'll need to specify your own access token:

GET https://api.betterlesson.com/search?keyword=algebra&access_token=1%2FfFBGRNJru1FQd44AzqT3Zg

Here is a call to the same API using the access_token ‘Authorization: Bearer’ HTTP header:

GET /search?keyword=algebra HTTP/1.1
Authorization: Bearer 1/fFBGRNJru1FQd44AzqT3Zg
Host: api.betterlesson.com

Using a Refresh Token

Your application may obtain a new access token by sending a refresh token to the BetterLesson Authorization server.

To obtain a new access token this way, your application sends an HTTPS POST request to https://api.betterlesson.com/oauth2/token. The request must include the following parameters:

FieldDescription
refresh_tokenThe refresh token returned from the authorization code exchange.
client_idThe client ID obtained from BetterLesson.
client_secretThe client secret obtained from BetterLesson.
grant_typeAs defined in the OAuth 2.0 specification, this field must contain a value of ‘refresh_token’.

Such a request will look similar to the following:

POST /oauth2/token HTTP/1.1
Host: api.betterlesson.com
Content-Type: application/x-www-form-urlencoded

client_id=do32fiocg09j4g&client_secret={client_secret}&refresh_token=1%2Fijoiwejqpeorjv209u3jp32EWCe9&grant_type=refresh_token

As long as the access granted to your application has not been revoked by BetterLesson or by the user, the response includes a new access token. A response from such a request is shown below:

{
   "access_token":"1/fFAGRNJru1FTz70BzhT3Zg",
   "refresh_token":"1/ijoiwejqpeorjv209u3jp32EWCe9",
   "expires": <datetime>
}

You should save refresh tokens in long-term storage and continue to use them as long as they remain valid.