Skip to main content
Suomi

Search

Manu Online API authentication with OAuth 2.0

Summary

Manu Online API uses OAuth 2.0 authentication.

The basic idea is simple:

A user logs in once with Manu Online credentials through the OAuth login flow. After that, the integration receives an access token and a refresh token.

The access token is used in actual API calls. It is short-lived and is typically valid for about 30 minutes.

The refresh token is long-lived and is typically valid for about 2 years. It is used to request a new access token without requiring the user to log in again.

This is the key point:

Every time the integration uses a refresh token to get a new access token, Manu Online also returns a new refresh token. The integration must always store the latest refresh token and replace the old one. If the integration keeps using an old refresh token, the next refresh request fails.

Because of this, the integration must be able to:

  • store the refresh token securely

  • update the stored refresh token after each successful refresh

  • use the latest refresh token in the next refresh request

The integration does not keep using Manu username and password programmatically. The login with Manu credentials is only needed for the initial authorization step.

How the connection stays running for years

Many programmers ask how the connection can continue automatically if the access token expires quickly.

The answer is:

  1. The user completes the OAuth login once.

  2. The integration receives an access token and a refresh token.

  3. The access token is used in API calls.

  4. When the access token expires, the integration uses the refresh token to request a new access token.

  5. The token response also contains a new refresh token.

  6. The integration saves that new refresh token and replaces the old one.

  7. This process repeats continuously.

As long as the integration always stores and uses the newest refresh token, the connection can stay active long-term without repeated user login.

Important design rule

Do not store Manu username and password in code for ongoing API use.

Instead:

  • do one initial OAuth login

  • store tokens securely

  • refresh the access token automatically

  • always replace the old refresh token with the newest one returned by the token endpoint

A good implementation stores the refresh token in secure persistent storage such as a database, secret store, or protected configuration storage.

Required information

Before starting, make sure you have:

  • a Manu Online user account with the required API permissions

  • a Private App created in Manu Online

  • the app's Client ID

  • the app's Client Secret

  • the correct Redirect URI

  • the required API scope, for example API_ALL if that is what your app uses

Authentication endpoints

Authorization endpoint:

https://auth.manuonline.com/oauth/authorize

Token endpoint:

https://auth.manuonline.com/oauth/token

API documentation:

https://api.manuonline.com/

Step 1: Get the first tokens with Authorization Code flow

For the initial connection, use OAuth 2.0 Authorization Code flow.

Typical Postman configuration:

  • Grant Type: Authorization Code

  • Callback URL: https://www.getpostman.com/oauth2/callback

  • Auth URL: https://auth.manuonline.com/oauth/authorize

  • Access Token URL: https://auth.manuonline.com/oauth/token

  • Client ID: your app client id

  • Client Secret: your app client secret

  • Scope: for example API_ALL

After successful login and authorization, Manu Online returns an authorization code. Postman then exchanges that code for:

  • access token

  • refresh token

Insert screenshot here: Postman OAuth 2.0 Authorization Code setup

Step 2: Use the access token in API calls

Use the access token in the Authorization header:

Authorization: Bearer {access_token}

The access token is used in normal Manu Online API requests until it expires.

Step 3: Refresh the access token

When the access token expires, send a POST request to the token endpoint:

POST https://auth.manuonline.com/oauth/token

Send the values in the Body as x-www-form-urlencoded.

Use these fields:

grant_type=refresh_token
refresh_token={current_refresh_token}
client_id={client_id}
client_secret={client_secret}

Important:

  • send the values in the request body

  • use x-www-form-urlencoded

  • do not rely on old refresh tokens

  • after a successful refresh, save the new refresh token immediately

Insert screenshot here: Postman refresh token request

Example refresh response

A successful response contains at least:

  • access_token

  • token_type

  • expires_in

  • refresh_token

Example:

{
  "access_token": "new_access_token_here",
  "token_type": "bearer",
  "expires_in": 1799,
  "refresh_token": "new_refresh_token_here"
}

The new refresh token in the response becomes the token that must be used next time.

Recommended program logic

A typical integration works like this:

  1. Load the currently stored refresh token.

  2. Request a new access token from the token endpoint.

  3. Read both the new access token and the new refresh token from the response.

  4. Save the new refresh token immediately.

  5. Use the new access token in API calls.

In other words, the refresh token must be treated as a value that changes over time.

Simple mental model

Think of the refresh token as a ticket that is replaced every time you use it.

When you use the current ticket, Manu Online gives you:

  • a new access token

  • a new ticket

You must save the new ticket and discard the old one.

If your integration keeps using the old ticket, the next refresh fails.

Common mistakes

Using username and password for ongoing API automation

This is not the intended model. Use OAuth 2.0 tokens after the initial login.

Not saving the new refresh token

This is the most common implementation mistake. The integration must always overwrite the old refresh token with the newest one.

Sending refresh parameters in the wrong place

Send the refresh request as:

  • POST

  • to /oauth/token

  • with x-www-form-urlencoded body

Hardcoding refresh token in source code

Do not hardcode a refresh token into code permanently. Store it in secure persistent storage so it can be updated after each refresh.

What programmers need to implement

A proper Manu Online API integration needs to:

  • support the initial OAuth 2.0 Authorization Code login

  • store access token and refresh token securely

  • detect or anticipate access token expiration

  • request a new access token with the current refresh token

  • store the new refresh token returned by the response

  • continue using the latest refresh token in all future refresh calls

Short version

Manu Online API authentication works so that the user logs in once with Manu credentials and the integration receives an access token and a refresh token. The access token is used in API calls and expires quickly. The refresh token is used to get a new access token without user login. Each refresh also returns a new refresh token, so the integration must always save the newest refresh token and replace the old one. This is what allows the connection to continue automatically for a long time.

Articles in this section

Related articles

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top