Quick Reference Guide

Here are some important information to take note of:

Environment	Base URL
Sandbox APIs	https://sandboxapi.poems.com.sg/api-gateway/pspl/
POEMS API Playgournd	https://sandboxapi.poems.com.sg/playground

Test Accounts/IDs for APIs

Sandbox API endpoints for authenticaton:

https://sandboxapi.poems.com.sg/api-gateway/pspl/auth/1.0/oauth/authorize
https://sandboxapi.poems.com.sg/api-gateway/pspl/auth/1.0/oauth/token

User credentials for the POEMS login:

User ID: 2222222
Password: 156156qw

Client ID and Secret Key:

Client ID: POEMS-DEMO
Secret Key: 87F8D5C4-5CE9-4C12-A0CD-0A876CDF3ACE

X-Api-Key for POEMS API:

B8A6F3CF-93FA-4116-8424-31E4DFEC10EB

Technical Requirements

Please ensure your application follows the following technical requirements.

JSON - JavaScript Object Notation
- API use JSON format as data return. White label application should be able to interpret JSON formatted data from API.
Signature Algorithm
- White lable application that authenticate API with 2-legged OAuth (Client Credential Grant) flow must use RS256 for signature algorithm.

Status Codes

API	Status Code	Reason
success	1	API return sccess.
authorize	302	Autorization error - reason depends on sub error codes
token	400	AuthCode error - missing, invalid, expired, revoked token
token	500	Internal server error. Error message will be in response body if it's available
Function	-1	Gateway error. Possible cause: missing/unexpected parameter(s) or incorrect parameter format
Function	-42	Invalid Session

POEMS API OAuth 2.0 Flows Details

Register with POEMS API to obtain OAuth 2.0 Credentials

Register with POEMS API to obtain OAuth 2.0 credentials such as a Client ID, Client Secret & API Key.

In order to access POEMS API, first you need to register in API portal, and then you will be given Client ID, Client Secrect and API Key upon succcessful registration.

OAuth 2.0 is an authorization method to provide access to resources over an HTTPS protocol. It is an open standard for authorization that enables applications to access server resources on behalf of a specific resource owner.

OAuth also enables Resource Owners (end users) to authorize limited third-party access to their server resources without sharing their credentials.

Obtain OAuth 2.0 API Access Token

POEMS API Gateway currently supports two OAuth 2.0 authorization flows,

1. App with POEMS Access

Applications require an authentication step where the user logs in with POEMS account.

Third party applications connects through authentication based on POEMS User ID and password. Also known as the authorization code grant, this is based on end-user authentication/ authorization. This flow involves three actors:

Resource Owner (POEMS Customer), Client App (your application), Authorization Server (POEMS API Gateway)

Below diagram illustrates the OAuth 2.0 Authorization Code authorization (3-legged OAuth) flow designated for client apps that intend to access a POEMS Customer's resource on an End-User Authentication basis.

A user, as the resource owner, initiates a request to the client application.
The client application sends the resource owner a re-direction to the POEMS API Gateway authorization endpoint with applicable query parameters. The POEMS Login Page is displayed on the Resource Owner's device browser.

The Resource Owner must authenticate himself/herself by providing POEMS credentials in the login page, and click the Login button
Upon successful user authentication, the authorization endpoint generates an authorization code and sends it to the client application using the client redirect URI.
The client application requests for access token by sending the authorization code to the Token Endpoint exposed by the authorization server, providing a valid client_id and client secret pair in the header as form of HTTP Basic Authentication Scheme.
Client application is able to access POEMS API resources with a valid access token.

URL to authenticate user, https://sandboxapi.poems.com.sg/api-gateway/pspl/auth/1.0/oauth/authorize
URL to request token, https://sandboxapi.poems.com.sg/api-gateway/pspl/auth/1.0/oauth/token

2. App without POEMS Access

Third party applications directly connect to our POEMS API using RSA256 Private and Public Key

Also known as the client credentials grant, this is based on trusted application-to-application communication.

This flow involves 2 actors: Client App (your application), Authorization Server (POEMS API Gateway)

The diagram illustrates the OAuth2.0 Client Credentials flow designated for trusted Client Apps who would like to access POEMS Resources on a higher-level Application-to-Application basis.

The Client App requests for application-to-application authentication by sending a pre-defined identifier and signed token to the authorization endpoint.
On successful authentication, the authorization endpoint returns the access token and refresh token (if necessary) to the client application.

URL to request token, https://sandboxapi.poems.com.sg/api-gateway/pspl/auth/1.0/oauth/token

Access POEMS API

After an application obtains an access token, it sends the token to POEMS API in an HTTP authorization header

POEMS API URL: https://sandboxapi.poems.com.sg/api-gateway/pspl/mobile2/1.0/global/order/today

Authorization API

This API is used to request access code. Access code will be return in client redirect URI.

HTTP Request

GET https://sandboxapi.poems.com.sg/api-gateway/pspl/auth/1.0/oauth/authorize

Parameter	Type	Description
response_type	query	value must be "code"
client_id	query	unique ID for your application. For our sample application, use POEMS-DEMO
deviceId	query	Unique device id. This can be finger print id for browser, device id for mobile and unique key for desktop application.
state	query	identifier to reconcile query and response. This will be sent back to you via the callback URL. Use a unique system generated number for each and every call.
redirect_uri	query	your callback URL for POEMS API Gateway to return with the authorisation code. For our sample application this is http://localhost:3000/callback

Request Token API

To request the JWT access token. Based on the grant_type, parameters may vary.

HTTP Request

POST https://sandboxapi.poems.com.sg/api-gateway/pspl/auth/1.0/oauth/token

Parameter	Type	Description
grant_type	form	For retrieving token, value must be "authorization_code". For refreshing token, value must be "refresh_token"
code	form	the authcode given by the authorize API.
redirect_uri	form	your callback URL for POEMS API Gateway to validate. For our sample application this is http://localhost:3000/callback
client_id	form	unique ID for your application. For our sample application, use POEMS-DEMO
client_secret	form	secret key given to your application during registration. For our sample application, this is 87F8D5C4-5CE9-4C12-A0CD-0A876CDF3ACE

Using 3-legged OAuth2 Tutorial

NOTE:
You should have basic knowledge of OAuth process to follow the tutorial.
This tutorial will show you how to call call POEMS api in web server based application from front end using 3-legged OAuth Authentication flow.

The API specifications for this tutorial can be found HERE.

1. Download our Sample Client Application

For the purpose of the tutorial, please download our sample client application.

DOWNLOAD SAMPLE APP.
DOWNLOAD WORKSHOP APP.
Once you have downloaded the sample application, unzip the file.

A) Install Node and NPM

In order for the demo application to run, you will need to install Node and NPM.
Follow the instructions given by the link below depending on your OS.
Install Node.js
If you have Nodejs installed, check using node -v command.

B) Run NPM install

Run the following command in the folder you unzipped the application:

npm install

C) Start the Application

For Linux/MacOS
Execute the following command to start the application:

./start.sh

For Windows
Execute the following command to start the application:

start.bat

Access the Application on Your Browser
You should be able to access the sample application via the following URL:
http://localhost:3000

2. Trigger POEMS API Login (authorize API)

The authorization endpoint triggers POEMS API login which requires user to login with POEMS account.
Refer to Quick Reference for user login credentials.
After you are logged in, click "View Orders"

Open views/html/index.html in the sample application and look for the following lines of code:
index.html file will be the frontend(client side) code

//function to redirect to POEMS API login page

function callLoginApi() {

	var authorizeUrl = authApiUrl + "?response_type=code"
	+ "&client_id=" + clientId
	+ "&deviceId=MyDemoFP"
	+ "&state=" + state
	+ "&redirect_uri=" + redirectUrl;
	window.location = authorizeUrl;
}

This code triggers the authorize API.

It calls the AUTH API URL below (with some additional parameters):

https://sandboxapi.poems.com.sg/api-gateway/pspl/auth/1.0/oauth/authorize

Note that this API is using HTTPS GET.
You will notice that the URL contains the following parameters:

PARAMETER	Type	DESCRIPTION
response_type	query	value must be "code"
client_id	query	unique ID for your application. For our sample application, use POEMS-DEMO
deviceId	query	Unique device id. This can be finger print id for browser, device id for mobile and unique key for desktop application.
state	query	identifier to reconcile query and response. This will be sent back to you via the callback URL. Use a unique system generated number for each and every call.
redirect_uri	query	your callback URL for POEMS API Gateway to return with the authorisation code. For our sample application this is http://localhost:3000/callback

a) Login with POEMS Account

Use this test ID and password to login to POEMS API Gateway:
User Name: 2222222 Password: 156156qw

b) Get the Authorisation Code

If you have followed the steps above correctly, the authorize api should return you an authorisation code by accessing your callback URL. You should now see something like this in your server side callback.

http://localhost:3000/callback?code=c516Bn&state=123

The dialog below shows the server side callback function.

/* GET callback. */
router.get('/callback', function (req, res, next) {

	if (!_.isUndefined(req.query.code) && !_.isEmpty(req.query.code)) {
		//recieve access code from authorize api after login
		console.log("access code: ".yellow + req.query.code.green);
		// exchange access code for access token
		callTokenAPI(req.query.code, false,
			function (data) {
			...

		} else {
			res.send("You are not authorize to see this page.");
		}
	...

Notice the parameter code - It is the authorisation code that your application will used to invoke the next API (token). In the example above, the authorisation code is c516Bn. We will use this authorisation code in the next token API call.

The token API calls will follow once you have received the code in the server side.
We will look at the code for token APIs in the following sections.

3. Call the Token API (with the authorisation code)

Now that you have the authorisation code, you can invoke the token API to get the access token.
In the sample application we call this API from a server-side component. It is recommended that it should not be called from the browser or mobile native client application to prevent exposing access token to unauthorized entities.
Open routes/index.js in our sample client application and search for the following:

index.js is the backend (server side) code.


//to prepare request for access TOKEN API
function prepareRequestForAccessToken(code) {
	var cacheCtl = "no-cache";
	var contentType = "application/x-www-form-urlencoded";
	var result;
	// assemble params for Token API
	var strParams = "grant_type=authorization_code" +
		"&code=" + code +
		"&redirect_uri=" + _redirectUrl +
		"&client_id=" + _clientId +
		"&client_secret=" + _clientSecret;

	var params = querystring.parse(strParams);

	...
	
	result = {
		params: params,
		headers: headers
	}
	return result;
}

// function to request for TOKEN API
function callTokenAPI(tokenParam, isRefresh, callback) {

	var headers;
	var params;
	var requestHeadersAndParams;
	// determine token parameters for access token request or refresh token request
	if (isRefresh) {
		requestHeadersAndParams = prepareRequestForRefreshToken(tokenParam);
	} else {
		requestHeadersAndParams = prepareRequestForAccessToken(tokenParam);
	}

	headers = requestHeadersAndParams.headers;
	params = requestHeadersAndParams.params;

	var request = restClient.post(_tokenApiUrl);

	...
}

The code is creating the request to call TOKEN API:

https://sandboxapi.poems.com.sg/api-gateway/pspl/auth/1.0/oauth/token

Note that this API is using HTTPS POST.
The parameters in the POST body are as follows:

PARAMETER	Type	DESCRIPTION
grant_type	form	grant type for getting token ("authorization_code")
Code	form	the authcode given by the authorize API.
redirect_uri	form	your callback URL for POEMS API Gateway to validate. For our sample application this is http://localhost:3000/callback
client_id	form	unique ID for your application. For our sample application, use POEMS-DEMO
client_secret	form	secret key given to your application during registration. For our sample application, this is 87F8D5C4-5CE9-4C12-A0CD-0A876CDF3ACE

The sample application will then send the constructed request to the API Gateway, and you should see the following response from the npm console logs:


										Response from Token API: 
										{
										"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsic2VydmVyMSJdLCJ1c2VyX25hbWUiOiJDdXN0b21pemVQcmluY2lwYWxDb25maWd1cmUgW3VzZXJBY2NvdW50Tm89MDAwMDAwMCwgc2Vzc2lvbklkPTcyQzU5QTIwLUVCQUEtNEEzMS04M0Y2LTUwMTQ3MTQwODQ0NywgYWNjb3VudFR5cGU9ViwgZGV2aWNlSWQ9TXlEZW1vRlBdIiwic2NvcGUiOlsicmVhZCJdLCJhY2NvdW50Tm8iOiIwMDAwMDAwIiwiYWNjb3VudFR5cGUiOiJWIiwic2Vzc2lvbklkIjoiNzJDNTlBMjAtRUJBQS00QTMxLTgzRjYtNTAxNDcxNDA4NDQ3IiwiZXhwIjoxNTM3MDk1MTU2LCJkZXZpY2VJZCI6Ik15RGVtb0ZQIiwiYXV0aG9yaXRpZXMiOlsicG1vYmlsZSJdLCJqdGkiOiJjY2JiMmE4MS03OGQ3LTQ2YzQtOWQ0MC04ZTYwMjAzM2U4OWIiLCJjbGllbnRfaWQiOiJwbW9iaWxlMiJ9.roEsJ3JOgXFFVVEf_AMXoqdewSdwun7Dq3WTcwLBpnQQviaI1HinzxiKN8eSuIgwjr4TpaoHLHvti9ZKIHhD-RMBpY6zm0oucwNnLjtbghIWlvHrYOG7iI8S2UgG0eqSDpgX1rtCJftMM3k-P-_J_uo2-XaGWhDaBSwbpXHbM4aUZVru_383DkqZQEy5JRbAAJ220DSBcjifjnHDT7UrJJY-GSRSNW8jXJP40JzalE-e33pe6pFCr_IMGAhJqqRapMchomjyM97zSYfeuOOXEi0GpWD-ibEz6F9AvwueFmOk3T2ABgx8RQLSnWfQrea2RhUEkiwtc2AIElJEl5VuLg",
										"token_type":"bearer",
										"refresh_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsic2VydmVyMSJdLCJ1c2VyX25hbWUiOiJDdXN0b21pemVQcmluY2lwYWxDb25maWd1cmUgW3VzZXJBY2NvdW50Tm89MDAwMDAwMCwgc2Vzc2lvbklkPTcyQzU5QTIwLUVCQUEtNEEzMS04M0Y2LTUwMTQ3MTQwODQ0NywgYWNjb3VudFR5cGU9ViwgZGV2aWNlSWQ9TXlEZW1vRlBdIiwic2NvcGUiOlsicmVhZCJdLCJhY2NvdW50Tm8iOiIwMDAwMDAwIiwiYWNjb3VudFR5cGUiOiJWIiwiYXRpIjoiY2NiYjJhODEtNzhkNy00NmM0LTlkNDAtOGU2MDIwMzNlODliIiwic2Vzc2lvbklkIjoiNzJDNTlBMjAtRUJBQS00QTMxLTgzRjYtNTAxNDcxNDA4NDQ3IiwiZXhwIjoxNTM3MTMwMTU2LCJkZXZpY2VJZCI6Ik15RGVtb0ZQIiwiYXV0aG9yaXRpZXMiOlsicG1vYmlsZSJdLCJqdGkiOiJjYTAzNTU3MS1hMjBhLTRiNzUtOTk2ZC02ZjViN2U3YWNjZmQiLCJjbGllbnRfaWQiOiJwbW9iaWxlMiJ9.Wtem1uc6Wqn61nKfOonwr1oF9WJknaf5UqDueDnpUkYTeQJOoNcJRkvj6ga7BF31yEa-asVeLedkHS5Phkh7dsVrGMsKoidXzFXUsfvhXkhhtP8NAq9D5poyWEl_dJJWzcpBB7-Tj5CpUZ85FopXeYVVhMp7aKMHqvA0Ojrj8_CFvPK0pPY4sBLcoLV-zfMShykTivVqdQMjrE7ImCsJAjsqA28QIaJqGWajMJbTwRixf9PEk2vX6OmPuO0jqtcsd7kPi10tlu8mHI3q3IDWtvW5g-G2rBgCJAg6JiUV4MqigV4nb_fQU0iwf1ZT0VGpQ7Y3Sfvx76IrEJ58zrQ7dw",
										"expires_in":999,
										"scope":"read",
										"accountNo":"2222222",
										"accountType":"V",
										"sessionId":"72C59A20-EBAA-4A31-83F6-501471408447",
										"deviceId":"MyDemoFingerPrint",
										"jti":"ccbb2a81-78d7-46c4-9d40-8e602033e89b"
										}

Notice the response contains an "access_token" and "refresh_token", which is in the JWT (JSON Web Token) format. We use "expires_in" to determine token expiration time. If the token is expired we call token API to request for new access token. We will describe the token renewal process below
NOTE: token contains built-in additional information about login user session which is also encoded in the access_token string to be determined by Gateway. We will only need the encoded access_token in order to successfully call the POEMS API.

4. Call the Refresh Token API (access token is expired)

Now that you have the refresh token, you can invoke the token API to get the new access token.
NOTE: Our JWT access token is a stateless session token. Expires_in determine when access token will expire. To avoid session time out, we check token expire each and every call. If token expired, we call refresh token api to request for new access token. Unlike token api request, refresh token api request does not require user to authorize again.

Open routes/index.js in our sample client application and search for the following:

index.js is the backend (server side) code.

//to prepare request for refresh TOKEN API
function prepareRequestForRefreshToken(refreshToken) {
	var cacheCtl = "no-cache";
	var contentType = "application/x-www-form-urlencoded";
	var result;
	// assemble params for Token API
	var strParams = "grant_type=refresh_token" +
		"&client_id=" + _clientId +
		"&refresh_token=" + refreshToken;

	var params = querystring.parse(strParams);

	...
	
	result = {
		params: params,
		headers: headers
	}
	return result;
}

// function to request for TOKEN API
function callTokenAPI(tokenParam, isRefresh, callback) {

	var headers;
	var params;
	var requestHeadersAndParams;
	// determine token parameters for access token request or refresh token request
	if (isRefresh) {
		requestHeadersAndParams = prepareRequestForRefreshToken(tokenParam);
	} else {
		requestHeadersAndParams = prepareRequestForAccessToken(tokenParam);
	}

	headers = requestHeadersAndParams.headers;
	params = requestHeadersAndParams.params;

	var request = restClient.post(_tokenApiUrl);

	...
}

The code is creating the request to call TOKEN API:

https://sandboxapi.poems.com.sg/api-gateway/pspl/auth/1.0/oauth/token

Note that this API is using HTTPS POST.
The parameters in the POST body are as follows:

PARAMETER	Type	DESCRIPTION
grant_type	form	grant type for getting new token ("refresh_token")
client_id	form	unique ID for your application. For our sample application, use POEMS-DEMO
refresh_token	form	JWT refresh token to request for new access token.

The sample application will then send the constructed request to the API Gateway, and you should see the following response from the npm console logs:


										Response from Token API: 
										{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsic2VydmVyMSJdLCJ1c2VyX25hbWUiOiJDdXN0b21pemVQcmluY2lwYWxDb25maWd1cmUgW3VzZXJBY2NvdW50Tm89MDAwMDAwMCwgc2Vzc2lvbklkPTcyQzU5QTIwLUVCQUEtNEEzMS04M0Y2LTUwMTQ3MTQwODQ0NywgYWNjb3VudFR5cGU9ViwgZGV2aWNlSWQ9TXlEZW1vRlBdIiwic2NvcGUiOlsicmVhZCJdLCJhY2NvdW50Tm8iOiIwMDAwMDAwIiwiYWNjb3VudFR5cGUiOiJWIiwic2Vzc2lvbklkIjoiNzJDNTlBMjAtRUJBQS00QTMxLTgzRjYtNTAxNDcxNDA4NDQ3IiwiZXhwIjoxNTM3MDk1MTU2LCJkZXZpY2VJZCI6Ik15RGVtb0ZQIiwiYXV0aG9yaXRpZXMiOlsicG1vYmlsZSJdLCJqdGkiOiJjY2JiMmE4MS03OGQ3LTQ2YzQtOWQ0MC04ZTYwMjAzM2U4OWIiLCJjbGllbnRfaWQiOiJwbW9iaWxlMiJ9.roEsJ3JOgXFFVVEf_AMXoqdewSdwun7Dq3WTcwLBpnQQviaI1HinzxiKN8eSuIgwjr4TpaoHLHvti9ZKIHhD-RMBpY6zm0oucwNnLjtbghIWlvHrYOG7iI8S2UgG0eqSDpgX1rtCJftMM3k-P-_J_uo2-XaGWhDaBSwbpXHbM4aUZVru_383DkqZQEy5JRbAAJ220DSBcjifjnHDT7UrJJY-GSRSNW8jXJP40JzalE-e33pe6pFCr_IMGAhJqqRapMchomjyM97zSYfeuOOXEi0GpWD-ibEz6F9AvwueFmOk3T2ABgx8RQLSnWfQrea2RhUEkiwtc2AIElJEl5VuLg","token_type":"bearer",
										"refresh_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsic2VydmVyMSJdLCJ1c2VyX25hbWUiOiJDdXN0b21pemVQcmluY2lwYWxDb25maWd1cmUgW3VzZXJBY2NvdW50Tm89MDAwMDAwMCwgc2Vzc2lvbklkPTcyQzU5QTIwLUVCQUEtNEEzMS04M0Y2LTUwMTQ3MTQwODQ0NywgYWNjb3VudFR5cGU9ViwgZGV2aWNlSWQ9TXlEZW1vRlBdIiwic2NvcGUiOlsicmVhZCJdLCJhY2NvdW50Tm8iOiIwMDAwMDAwIiwiYWNjb3VudFR5cGUiOiJWIiwiYXRpIjoiY2NiYjJhODEtNzhkNy00NmM0LTlkNDAtOGU2MDIwMzNlODliIiwic2Vzc2lvbklkIjoiNzJDNTlBMjAtRUJBQS00QTMxLTgzRjYtNTAxNDcxNDA4NDQ3IiwiZXhwIjoxNTM3MTMwMTU2LCJkZXZpY2VJZCI6Ik15RGVtb0ZQIiwiYXV0aG9yaXRpZXMiOlsicG1vYmlsZSJdLCJqdGkiOiJjYTAzNTU3MS1hMjBhLTRiNzUtOTk2ZC02ZjViN2U3YWNjZmQiLCJjbGllbnRfaWQiOiJwbW9iaWxlMiJ9.Wtem1uc6Wqn61nKfOonwr1oF9WJknaf5UqDueDnpUkYTeQJOoNcJRkvj6ga7BF31yEa-asVeLedkHS5Phkh7dsVrGMsKoidXzFXUsfvhXkhhtP8NAq9D5poyWEl_dJJWzcpBB7-Tj5CpUZ85FopXeYVVhMp7aKMHqvA0Ojrj8_CFvPK0pPY4sBLcoLV-zfMShykTivVqdQMjrE7ImCsJAjsqA28QIaJqGWajMJbTwRixf9PEk2vX6OmPuO0jqtcsd7kPi10tlu8mHI3q3IDWtvW5g-G2rBgCJAg6JiUV4MqigV4nb_fQU0iwf1ZT0VGpQ7Y3Sfvx76IrEJ58zrQ7dw",
										"expires_in":999,"scope":"read","accountNo":"2222222","accountType":"V","sessionId":"72C59A20-EBAA-4A31-83F6-501471408447","deviceId":"MyDemoFingerPrint","jti":"ccbb2a81-78d7-46c4-9d40-8e602033e89b"}

5. Call the POEMS API (with the access token)

Now that you have the access token, you can invoke the token API to get the data.
Click HERE. for more info about the POEMS API
NOTE: This API should be called from a server-side component.

You will need to provide a valid access token or your API call will be rejected.
Open routes/index.js in our sample client application and search for the following:

index.js is the backend (server side) code.

//function to call orders api
function callTodayOrdersAPI(accessToken, callback) {

	var result;
	// assemble params for orders API
	var strParams = "osVersion=1" +
		"&language=1";
	var params = querystring.parse(strParams);

	// assemble headers for orders API
	var strHeaders = "x-api-key=" + _x_api_key;
	var headers = querystring.parse(strHeaders);
	_.set(headers, "Authorization", "Bearer " + accessToken);

	...
	
	var request = restClient.get(_todayOrderApiUrl);

	...
}

The code is creating the request to call the following POEMS API:

https://sandboxapi.poems.com.sg/api-gateway/pspl/mobile2/1.0/global/order/today

Note that this API is called using HTTPS GET.
The additional parameters are as follows:

PARAMETER	Type	DESCRIPTION
x_api_key	header	Api key provided to you during registration. For our sample application, this is `B8A6F3CF-93FA-4116-8424-31E4DFEC10EB`
Authorization	header	Access token requested. Format should look like this. "Bearer [access_token]".

Providing the Access Token in the Request Header
The access token should be provided in the header of your API call under "Bearer".
You should see something like this in the npm console logs:


										Request Header for Order API:

										{"x-api-key":"B8A6F3CF-93FA-4116-8424-31E4DFEC10EB","Authorization":"Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsic2VydmVyMSJdLCJ1c2VyX25hbWUiOiJDdXN0b21pemVQcmluY2lwYWxDb25maWd1cmUgW3VzZXJBY2NvdW50Tm89MDAwMDAwMCwgc2Vzc2lvbklkPTcyQzU5QTIwLUVCQUEtNEEzMS04M0Y2LTUwMTQ3MTQwODQ0NywgYWNjb3VudFR5cGU9ViwgZGV2aWNlSWQ9TXlEZW1vRlBdIiwic2NvcGUiOlsicmVhZCJdLCJhY2NvdW50Tm8iOiIwMDAwMDAwIiwiYWNjb3VudFR5cGUiOiJWIiwic2Vzc2lvbklkIjoiNzJDNTlBMjAtRUJBQS00QTMxLTgzRjYtNTAxNDcxNDA4NDQ3IiwiZXhwIjoxNTM3MDk1MTA3LCJkZXZpY2VJZCI6Ik15RGVtb0ZQIiwiYXV0aG9yaXRpZXMiOlsicG1vYmlsZSJdLCJqdGkiOiJkMDljNWMxZS0zY2Q5LTQyZjYtOWEzMy00NmQ0MzIxYWQwMDUiLCJjbGllbnRfaWQiOiJwbW9iaWxlMiJ9.ZJbi8YdtmvemYWgdDFKYbAt8I5x1ugPzJMwEj18jV9llDqXEKGVP_XouKtsChyZOy-H38Qe8zLNH4MBWjH6ShNJxFr0DlTMLtTunhHaefV1YfQK97kc9fzQsVZuUOT6T241Yo-wTsuKGIRkfoBvxRhG1n8y_Lmsew7Xxzeg6FcgFpXmUabwGHO3mMAsYW8CUYgPED7uVqhB7EQsNgVDSpRyhLLGKARUSryHyMEUC_PYIU6OlimnFd0zfHX2XUNkhoMWv7gOu7yILlEpjaWtpVt6B9Y4IKgEers7FTXsJumpX4Yk-4rAEyQzozTvOGkcV4xGsFX84nBSinGvgb2Kz_g"}

Once this is done, you should see the orders JSON in the npm console logs that looks like this:


										Response from Order API:

										{"msg":"Success","code":1,"passwordRequire":true,"twoFARequire":false,"newOrderPMPTopic":"ZZ|ZZ_2222222|POEMS","orders":[{"counterID":"FT/SIMEX/SIMEX/CNU18","name":
										"SGX FTSE CHINA A50 INDEX - SEP 2018","symbol":"CNU18","product":"FT","productIcon":"FUT","action":"BUY","status":"OP","statusColor":"GRAY","submittedPrice":"11,240
										","submittedQty":"1","remainingQty":null,"submittedTime":"03 Sep 2018 10:48 AM","executedPrice":"0","executedQty":"0","updatedTime":null,"orderNo":"86506","lotSize"
										:null,"stopPrice":"","stopLimitPrice":"","ocoPrice":null,"trailingStop":null,"triggeredType":null,"units":null,"investedAmmount":null,"nav":null,"netSalesCharge":nu
										ll,"receivedTime":"","executedTime":"","amendURI":"","withdrawURI":"/FT/orders/withdraw/86506","isTradeable":false,"isInfoAvailable":false,"orderDetailsURI":"/FT/or
										ders/today/86506","orderPMPTopic":null,"orderType":"Limit","orderStatusDesc":"Order Pending","cancelURI":null,"referenceNo":null,"delayIndicator":"","market":"SIMEX
										","exchange":"SIMEX","paymentCurrency":null,"latestUpdatedTime":"2018-09-03 10:48:02"},{"counterID":"FT/SIMEX/SIMEX/SGU18","name":"MSCI SINGAPORE INDX - SEP 2018","
										symbol":"SGU18","product":"FT","productIcon":"FUT","action":"BUY","status":"OP","statusColor":"GRAY","submittedPrice":"362","submittedQty":"1","remainingQty":null,"
										submittedTime":"03 Sep 2018 10:46 AM","executedPrice":"0","executedQty":"0","updatedTime":null,"orderNo":"86505","lotSize":null,"stopPrice":"","stopLimitPrice":"","
										ocoPrice":null,"trailingStop":null,"triggeredType":null,"units":null,"investedAmmount":null,"nav":null,"netSalesCharge":null,"receivedTime":"","executedTime":"","am
										endURI":"","withdrawURI":"/FT/orders/withdraw/86505","isTradeable":false,"isInfoAvailable":false,"orderDetailsURI":"/FT/orders/today/86505","orderPMPTopic":null,"or
										derType":"Limit","orderStatusDesc":"Order Pending","cancelURI":null,"referenceNo":null,"delayIndicator":"","market":"SIMEX","exchange":"SIMEX","paymentCurrency":nul
										l,"latestUpdatedTime":"2018-09-03 10:46:21"}]}

5. Use the JSON object to Show data

If you have followed the steps above correctly, you should have gotten the data JSON object from poems api.

SUMMARY

You've successfully used the OAuth2 process to get the data from POEMS API sandbox environment.

Overview

Overview of POEMS API Integration

The diagram below shows a logical overview of the 3-legged OAuth architecture:

The diagram below shows a logical overview of the 2-legged OAuth architecture:

As shown in above diagrams, your application will be using our POEMS API Gateway to integrate successfully with POEMS API

APIs

There are five API resouces (Global, Stocks, CFD, UT, & FTFX) that you can use based on your requirement and access rights.

Global

This is the API for the global (common) features for all supported products, such as login, watchlist, alert, order status.

URL

https://sandboxapi.poems.com.sg/pmobile2/global/

Stocks

This is the Stocks product specific API. You may need to use this API to request for stocks specific request, such as stocks trade submit, stocks counter details, stocks order status details.

URL

https://sandboxapi.poems.com.sg/pmobile2/st/

CFD

This is the CFD/DMA product specific API. You may need to use this API to request for cfd/dma specific request, such as cfd/dma trade submit, cfd/dma counter details, cfd/dma order status details.

URL

https://sandboxapi.poems.com.sg/pmobile2/cfd/

UT

This is the Unit Truxt product specific API. You may need to use this API to request for unit trust specific request, such as unit trust trade submit, unit trust counter details, unit trust order status details.

URL

POST https://sandboxapi.poems.com.sg/pmobile2/ut/

FT/FX

This is the FT/FX product specific API. You may need to use this API to request for ft/fx specific request, such as ft/fx trade submit, ft/fx counter details, ft/fx order status details.

URL

POST https://sandboxapi.poems.com.sg/pmobile2/ftfx/

Quick Reference Guide

JSON - JavaScript Object Notation

Signature Algorithm

POEMS API OAuth 2.0 Flows Details

Authorization API

HTTP Request

Request Token API

HTTP Request

Using 3-legged OAuth2 Tutorial

1. Download our Sample Client Application

A) Install Node and NPM

B) Run NPM install

C) Start the Application

2. Trigger POEMS API Login (authorize API)

a) Login with POEMS Account

b) Get the Authorisation Code

3. Call the Token API (with the authorisation code)

4. Call the Refresh Token API (access token is expired)

5. Call the POEMS API (with the access token)

5. Use the JSON object to Show data

SUMMARY

Overview

Overview of POEMS API Integration

APIs

Global

Stocks

CFD

UT

FT/FX