The API that provides access to the Rallybound fundraising platform.
The Sprocket API was built to provide third-party applications access to perform actions on behalf of a Rallybound platform User.
The Sprocket API uses OAuth 2.0 3-legged to allow third-party Clients to access users campaign data. the Sprocket API follows the OAuth 2.0 Authorization Framework specifications.
The Sprocket API follows the HTTP REST protocol.
| Http Method | Example |
| GET | https://rest.rallybound.com/sprocket/v2/campaigns/1234 |
| POST | https://rest.rallybound.com/sprocket/v2/admin/campaigns/1234/users |
| PUT | https://rest.rallybound.com/sprocket/v2/admin/campaigns/1234/users/5678 |
| DELETE | https://rest.rallybound.com/sprocket/v2/campaigns/1234/users/5678/updates/90 |
The URI of an individual API method may contain dynamic parameters (surrounded by curly brackets). they will need to be populated with their respective values, to generate the final URI.
https://rest.rallybound.com/sprocket/{apiVersion}/campaigns/{campaignID}/users
contains 2 dynamic parameters:
https://rest.rallybound.com/sprocket/v2/campaigns/1234/users
Request parameters for each API method will be listed in the following table format:
| Parameter Key | Required | Data Type | Default Value | Description |
| Y/N | int/long/string | Parameters that are not required and are absent will be default to the value listed | Brief description |
Required parameters that are absent, or parameters that are of incorrect data type
(such as passing abc for a parameter that has a data type of int will
generate a 400 Bad Request error)
Most of the Sprocket API Methods will require authorization. There are two types of authorizations listed below. Each of the API methods will list the type of authorization required.
We recommend that the Client application make use of the Authorization HTTP header,
although we plan to support an alternative that makes use of request parameters.
| Authorization Type | Authorization Method | Parameters | Notes |
| AccessToken | Bearer | The AccessToken obtained through the user-authentication flow. | See RFC 6750 |
| ClientSecret | Basic | client_id & client_secret provided to you | See RFC 2617 |
AccessToken authorization is required for API methods that perform an action on behalf of a User, to query account information, for example. A valid AccessToken is obtained during the Authorization Flow
POST /sprocket/v2/test/me HTTP/1.1
Host: rest.rallybound.com Authorization: Bearer NBFHLSJ7w8URN9jJVLtmLmuS-e85Ya64hmUDf_aar4AfQNEEN4string endpoint = "https://rest.rallybound.com/sprocket/v2/test/me";
string accessToken = "NBFHLSJ7w8URN9jJVLtmLmuS-e85Ya64hmUDf_aar4AfQNEEN4";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(endpoint);
request.Headers.Add(HttpRequestHeader.Authorization, "Bearer " + accessToken);
ClientSecret authorization is required for API methods that originate from the Client server, to obtain an Access Token, for example.
Authorization uses the basic authentication scheme (RFC 2617), using the client_id as the username and the client_secret as the password.
Since the client_secret should be treated as a private key, all API methods that require client_secret authorization should originate from your servers.
POST /sprocket/auth/oauth2/token HTTP/1.1
Host: rest.rallybound.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JWstring endpoint = "https://rest.rallybound.com/sprocket/auth/oauth2/token";
string client_id = "s6BhdRkqt3";
string client_secret = "gX1fBat3bV";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(endpoint);
request.Credentials = new NetworkCredential(client_id, client_secret);
The Sprocket API is designed for JSON payloads, but it supports XML payloads as well. To send a request in XML, set the request Content-Type header to application/xml or text/xml.
Note that empty XML tags are treated as null JSON values not empty objects ({})
The Sprocket API will respond to each call with a HTTP status code to indicate if the call was successful. Status codes of 2xx indicate success, 4xx indicate client errors (such as missing request parameters) while 5xx indicate server errors.
The Sprocket API will respond in JSON, but it supports XML as well.
To get a response in XML, set the request Accept header to application/xml.
To get a prettified response, add a pretty query parameter set to true.
|
|
|
|
Requests for collections can return between 0 and 100 results, controlled using the limit query parameter. All collection endpoints are limited to 10 results by default.
Retrieving records past the limit is done by using the offset query parameter.
This example would fetch teams 101 through 150
GET /sprocket/v2/admin/campaigns/1234/teams?limit=50&offset=100
A collection's range can be set to start from a specified result by adding the from_id or starting query parameters.
The from_id parameter (integer) will skip all records with their primary id less than the specified integer.
The starting parameter (long) will skip all records created prior to the specified unix timestamp.
If the request is made to a modified endpoint, the starting parameter will skip all records last modified prior to the specified unix timestamp (based on the Last_Modified_On timestamp).
Endpoints which support pagination will define their fields parameters in their documentation.
Collections may be limited based on specified criteria. This is done by passing filters as query parameters for fields within an object. The parameter specifies the field by which to filter, and its value determines the criteria by which to filter.
Filters may be passed for fields anywhere in an object structure (assuming filtering is supported by the relevant field). So, for example, a donation object can be filtered by donation.amount or donation.payment.currency_key (or both).
Collections may be filtered by string for string fields; by relational operators for integer, decimal, and long fields (including timestamps); and by logic (true/false) for boolean fields.
Strings are filtered based on the exact value passed. To filter based on a partial string, wildcards may be used by prepending or appending an asterisk ("*") to the value passed.
The following example would limit the returned collection to teams whose names start with "our":
GET /sprocket/v2/admin/campaigns/1234/teams?team.name=our*
Integers may be filtered by the relational operators equals ("="), greater than (">"), or less than ("<"). When filtering by greater or less than, the equals sign sets the value of the parameter, and is not part of the relational operator. When filtering by equality, a single equals sign is used, which sets the parameter value, and also checks for equality.
The following example would limit the returned collection to donations which are greater than $100:
GET /sprocket/v2/admin/campaigns/1234/donations?donation.amount=>100
The following example would limit the returned collection to donations which are equal to $250:
GET /sprocket/v2/admin/campaigns/1234/donations?donation.amount=250
Endpoints which support filtering will indicate their respective filterable fields in their documentation.
Collections may be sorted by specified fields using the sort query parameter. To sort by multiple fields, the fields should be passed comma-delimited. The order of the fields will determine the priority of the sort.
By default, the sort order is ascending. To sort descending, preface the relevant field with "-".
The following example would return teams in order of amount raised, with top raised listed first:
GET /sprocket/v2/admin/campaigns/1234/teams?sort=-team.amount_raised
Endpoints which support sorting will indicate their respective sortable fields in their documentation.
Some create (POST) and update (PUT) endpoints support batches.This is done by including multiple records in the payload, see below for example.
The response will include counts for successfully processed records and errors, respectively, and list out each record with relevant information in a Results array. Successful records will return a status code of 200 and the record's ID (see below), while errors will return an error status code, such as 400, along with information regarding the error.
By default, successful records will return only their ID. It is possible to return the entire object by setting batch_respond_with_complete_objects (under setting) to true in the initial payload. We recommend only doing this if the response objects are needed.
Here is an example:
|
|
|
|
To register your application, please contact our support with the following details:
https://example.com/oauth2/client_redirect and
http://dev.example.com/oauth2/client_redirect
Upon successful registration, you will be given a 10 character client_id and a 32 character client_secret, which are needed for some of the Sprocket API methods (such as starting an Authorization Flow)
The client_secret should be kept private to you and never be accessed by the public.
Including the secret in a public application (such as a mobile app) can allow
a hacker to make use of your keys.
For this reason, all of the Sprocket API methods that require the client_secret,
must originate from your servers.
To modify the settings of your application (such as adding or removing redirect prefixes), please contact our support.
In the event that there is an outside breach of your servers, or if your client_secret was leaked to the public, please contact our support to revoke the existing keys and generate new ones.
The Sprocket API currently supports the OAuth 2.0 protocol to perform authorization. Please see RFC 6749 for more details on the protocol.
The Resource Owner refers to the User on behalf of whom your application is performing various actions.
The Resource Server refers to the Sprocket API methods listed below.
The Client refers to your application.
The Authorization Server refers to the Sprocket API authentication endpoint listed in this following sections.
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
Although OAuth 2.0 defines four grant types, the Sprocket API currently only supports the Authorization Code Grant flow, which requires the Client to redirect the User via a web browser to the authorization endpoint url.
OAuth 2.0 Authorization Code Grant
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI ---->| |
| User- | | Authorization |
| Agent -+----(B)-- User authenticates --->| Server |
| | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Authorization Code ---------' |
| Client | & Redirection URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ & Refresh Token
All of the Sprocket API calls are to be made over HTTPS. Although all versions of TLS are currently supported, you should always use the latest and most secure version available.
The use of TLS is very important, since OAuth 2.0 does not use hash signatures to prevent man-in-the-middle attacks.
Since Access Tokens and Refresh Tokens can be used to perform actions on behalf of a User, they must be kept secure and out of reach from unauthorized people. Preferably, they should not be stored in plain-text.
| Endpoint | URI |
| Authorization |
GET
https://rest.rallybound.com/sprocket/auth/oauth2/authorize
|
| Token |
POST
https://rest.rallybound.com/sprocket/auth/oauth2/token
|
| Refresh |
POST
https://rest.rallybound.com/sprocket/auth/oauth2/refresh
|
In order to make authorized calls to the Sprocket API methods, your application must first obtain an Access Token on behalf of a User. Once a valid Access Token is obtained, it can be used to perform multiple API methods until the token expires.
| Parameter Key | Required | Data Type | Default Value | Description |
| response_type | Y | string | Must be set to code |
|
| client_id | Y | string | client_id that was provided for your application | |
| redirect_uri | N | string | First redirect_uri associated with your application | URI of where to redirect the User once they have authorized your application. * Value is restricted to the list of Redirect Prefixes associated with your application. |
| scope | N | string | Default permissions | A space-delimited string of permissions requested |
| state | N | string | State associated with the User request. the value of this parameter will be passed along to the redirect_uri |
https://rest.rallybound.com/sprocket/auth/oauth2/authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Foauthoauth2%2Fclient_redirectstring endpointBase = "https://rest.rallybound.com/sprocket/auth/oauth2/authorize";
string client_id = "s6BhdRkqt3";
string redirectUri = System.Web.VirtualPathUtility.ToAbsolute("~/oauthoauth2/client_redirect");
string state = "abc";
string constructedUri = string.Format("{0}?response_type=code&client_id={1}&redirect_uri={2}&state={3}",
endpointBase, client_id, Uri.EscapeDataString(redirectUri), Uri.EscapeDataString(state));
/*ASP.NET classic*/
Response.Redirect(constructedUri);
/*ASP.NET MVC*/
return Redirect(constructedUri);
Following the OAuth 2.0 spec, once the User grants access to your application they will be redirected to the redirect_uri specified in the authorization request. The following redirect parameters will be appended:
| Parameter Key | Required | Data Type | Default Value | Description |
| code | Y | string | A nonce that can be exchanged for a Access Token | |
| scope | Y | string | A space-delimited string containing the set of scopes approved by the User | |
| state | N | string | The value of the state parameter from the authorization request |
https://client.example.com/oauthoauth2/client_redirect?code=s6BhdRkqt3&state=xyzNonce codes are valid for 10 minutes, and are to be exchanged for a pair of Access and Refresh tokens. Keep in mind that an individual nonce code can only be used once, so if there is an error during the exchange - you will need to begin a new Authorization Flow.
To exchange the code received via the redirect parameter for an Access Token and a Refresh Token, issue a request to the Token Endpoint using the client_secret authorization method, along with the request parameters below:
https://rest.rallybound.com/sprocket/auth/oauth2/token
| Parameter Key | Required | Data Type | Default Value | Description |
| grant_type | Y | string | Must be set to authorization_code |
|
| code | Y | string | The Nonce code received via the redirect parameter | |
| redirect_uri | Y | string | The redirect_uri used during the authorization request |
POST /sprocket/auth/oauth2/token HTTP/1.1
Host: rest.rallybound.comAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Foauthoauth2%2Fclient_redirect
string endpoint = "https://rest.rallybound.com/sprocket/auth/oauth2/token";
string client_id = "s6BhdRkqt3";
string client_secret = "gX1fBat3bV";
//redirect_uri used in the authorization request
string redirectUri = "https://client.example.com/oauthoauth2/client_redirect";
//code issued as redirect parameter
string code = "SplxlOBeZQQYbYS6WxSbIA";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(endpoint);
request.Credentials = new NetworkCredential(client_id, client_secret);
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
using(Stream requestStream = request.GetRequestStream())
using(StreamWriter writer = new StreamWriter(requestStream))
{
writer.Write(string.Format("grant_type=authorization_code&code={0}&redirect_uri={1}",
Uri.EscapeDataString(code), Uri.EscapeDataString(redirectUri));
}
using(HttpWebResponse response = (HttpWebResponse)request.GetResponse())
{
//....
}
| Parameter Key | Required | Data Type | Default Value | Description |
| access_token | Y | string | The Access Token that your application shall use to perform API calls on behalf of the User | |
| token_type | Y | string | Always set to Bearer |
|
| expires_in | Y | int | Number of seconds that the Access Token is valid for. Once the token expires, use the Refresh Token to request a new Access Token | |
| refresh_token | Y | string | The Refresh Token that your application can use to request future Access Token for this authorization grant |
|
|
|
|
As mentioned earlier, since the client_secret should be treated as a private key, all API methods that require client_secret authorization should originate from your servers.
Now that the User granted access to your application, you may use the Access Token to perform actions on their behalf. Most of the Sprocket API methods require AccessToken authorization.
Access Tokens expire 30 minutes after they was issued.
Once a Access Token expires, use the Refresh Token to obtain a fresh one without requiring a new Authorization Flow, as demonstrated below:
+--------+ +---------------+
| |--(A)------- Authorization Grant --------->| |
| | | |
| |<-(B)----------- Access Token -------------| |
| | & Refresh Token | |
| | | |
| | +----------+ | |
| |--(C)---- Access Token ---->| | | |
| | | | | |
| |<-(D)- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--(E)---- Access Token ---->| | | |
| | | | | |
| |<-(F)- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |--(G)----------- Refresh Token ----------->| |
| | | |
| |<-(H)----------- Access Token -------------| |
+--------+ +---------------+
To obtain a new Access Token, issue a request to the Refresh Endpoint using the client_secret authorization method, along with the request parameters below:
https://rest.rallybound.com/sprocket/auth/oauth2/refresh
| Parameter Key | Required | Data Type | Default Value | Description |
| grant_type | Y | string | Must be set to refresh_token |
|
| refresh_token | Y | string | The Refresh Token obtained during the initial Authorization Flow | |
| scope | N | string | If a scope change is required, a space-delimited set of permissions that are a subset of the permissions granted by the User during the initial Authorization Flow. |
POST /sprocket/auth/oauth2/refre HTTP/1.1
Host: rest.rallybound.comAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=7Naj7aZfSQvEzUa2MvezDk53
string endpoint = "https://rest.rallybound.com/sprocket/auth/oauth2/refresh";
string client_id = "s6BhdRkqt3";
string client_secret = "gX1fBat3bV";
string refreshToken = "7Naj7aZfSQvEzUa2MvezDk53";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(endpoint);
request.Credentials = new NetworkCredential(client_id, client_secret);
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
using(Stream requestStream = request.GetRequestStream())
using(StreamWriter writer = new StreamWriter(requestStream))
{
writer.Write(string.Format("grant_type=refresh_token&refresh_token={0}",
Uri.EscapeDataString(refreshToken));
}
using(HttpWebResponse response = (HttpWebResponse)request.GetResponse())
{
//....
}
| Parameter Key | Required | Data Type | Default Value | Description |
| access_token | Y | string | The Access Token that your application shall use to perform API calls on behalf of the User | |
| token_type | Y | string | Always set to Bearer |
|
| expires_in | Y | int | Number of seconds that the Access Token is valid for. once the token expires, use the Refresh Token to request a new Access Token |
|
|
|
|
By default, Refresh Token expire 1 year after it was issued.
Rallybound Objects are the Rallybound objects (eg Users, Teams etc) which can be accessed via the Sprocket API.
API responses will contain the requested, edited or created object(s).
| Field Name | Field Type | Notes |
| Id | int | |
| Name | string | |
| Description | string | |
| Date | long | unix timestamp |
| Url | string | |
| Campaign_Type | int | A number indicating what the Campaign type is |
| Fundraising_Goal | Fundraising_Goal | Some Fundraising_Goal fields are not applicable for the Campaign |
| Organization | Organization | |
| Series_Id | int | |
| Fundraiser_Leaders | Array of User | The length of the array is based on "leader_count" passed in as a query string parameter (defaults to 0). The Users' Fundraising_Goal will not populate the Displayed_Donation_Infos |
| Team_Leaders | Array of Team | The length of the array is based on "leader_count" passed in as a query string parameter (defaults to 0). The Teams' Fundraising_Goal will not populate the Displayed_Donation_Infos |
Campaigns can be grouped into a Series. Rallybound Fundraising Platforms are each an instance of a Series.
| Field Name | Field Type | Notes |
| Id | int | |
| Name | string | |
| Url | string | |
| Fundraising_Goal | Fundraising_Goal | Some Fundraising_Goal fields are not applicable for the Series |
| Fundraiser_Leaders | Array of User | The length of the array is based on "leader_count" passed in as a query string parameter (defaults to 0). The Users' Fundraising_Goal will not populate the Displayed_Donation_Infos |
| Team_Leaders | Array of Team | The length of the array is based on "leader_count" passed in as a query string parameter (defaults to 0). The Teams' Fundraising_Goal will not populate the Displayed_Donation_Infos |
| Field Name | Field Type | Notes |
| Id | int | |
| Name | string | |
| Tax_ID | string | |
| Website | string | |
| Address_Line_1 | string | |
| Address_Line_2 | string |
| Field Name | Field Type | Notes |
| Id | int | |
| string | ||
| First_Name | string | |
| Last_Name | string | |
| Profile_Image | string | Url |
| Is_Fundraiser | boolean | |
| Team_Id | int | null indicates that the User is not on a Team |
| Campaign_Id | int | |
| Fundraising_Goal | Fundraising_Goal | |
| Address | Address | |
| External_Completed_1 | boolean | Currently only used for CharityDynamics Boundless Fundraising™ Mobile App |
| External_Completed_2 | boolean | Currently only used for CharityDynamics Boundless Fundraising™ Facebook App |
| Field Name | Field Type | Notes |
| Id | int | |
| Name | string | |
| Profile_Image | string | Url |
| Captains | Array of User | |
| User_Ids | Array of int | |
| Campaign_Id | int | |
| Fundraising_Goal | Fundraising_Goal |
| Field Name | Field Type | Notes |
| Id | int | |
| Campaign_Name | string | |
| Fundraising_Page | string | Url |
| Fundraising_Page_Header | string | |
| Fundraising_Page_Html | string | |
| Goal_Amount | decimal | |
| Amount_Raised | decimal | |
| Amount_To_Goal | decimal | |
| Direct_Donate | string | |
| Displayed_Donation_Infos | Array of Displayed_Donation_Info | Not populated when returning leader list |
| Field Name | Field Type | Notes |
| Id | int | |
| Date | long | unix timestamp |
| Amount | decimal | |
| Donor_Name | string | |
| Donor_Email | string | Admin can restrict access to users |
| Donor_Address | Address | Admin can restrict access to users |
| Message | string | |
| Is_Pending | boolean |
| Field Name | Field Type | Notes |
| Id | int | |
| Address_1 | string | |
| Address_2 | string | |
| City | string | |
| State | string | |
| Zip | string | |
| Country | string | Iso3166Code |
Displayed_Donation_Info is not a Donation object. Rather, this is the publicly displayed portion of a Donation and is therefore available via API without AccessToken authorization
| Field Name | Field Type | Notes |
| Id | int | |
| Date | long | unix timestamp |
| Amount | decimal | null indicates anonymous |
| Donor_Name | string | null indicates anonymous |
| Message | string |
base url: /sprocket/v2
api version: 2.1
features include: pagination, filtering and sorting.
v2 is still being expanded; updates posted regularly.