Discussions

Please check the question mentioned below:

Authentication

about 5 hours ago by Karan
Hi I have a following question:

why ServiceM8’s OAuth implementation differs from standard OAuth flows, where third-party applications typically don’t require the user to directly enter their username and password? Specifically, I’ve noticed that in some cases—especially for apps that are not public or listed in the Add-ons directory—the OAuth process requires direct ServiceM8 credential entry. Could you explain the reasoning behind this approach?

And whats are the ways of app approval to be able to use ServiceM8’s public OAuth flow (passwordless). How long it takes for approval?

0

0
about 5 hours ago by Cody
Hi Karan,

Great question about ServiceM8's OAuth authentication flow!

OAuth Implementation Clarification:
ServiceM8's OAuth 2.0 implementation actually follows standard OAuth flows. When you experience what appears to be "direct credential entry," this is actually the standard OAuth process where users must first be logged into their ServiceM8 account before completing the OAuth authorization. If you start the OAuth process without an active ServiceM8 session, you'll be prompted to log into your ServiceM8 account first, then automatically redirected to complete the standard OAuth flow.

This is a common security practice - the user authenticates with ServiceM8 directly (not with your application), and then ServiceM8 issues the authorization tokens to your application. Your application never sees the user's ServiceM8 credentials.

Authentication Options Available:
ServiceM8 offers multiple authentication methods depending on your integration needs:

OAuth 2.0: Recommended for multi-account apps and user-facing applications

2. API Keys: For server-to-server integrations and basic third-party connectivity - no Partner Program required for simple needs
   3. Add-on SDK: Uses the ServiceM8 Simple Token Service for automatic OAuth token provision during function execution

App Approval Process:
To get started with development, you'll need to register for a Developer account at servicem8.com/developer-registration. The developer documentation mentions waiting for developer account approval before creating client-facing add-ons, but doesn't specify exact timeframes in the available documentation.

For more detailed information about the specific approval timeline and requirements, I'd recommend reaching out directly through our developer support channels, as the process can vary based on your specific use case and integration requirements.

Hope this clarifies the OAuth flow!

Thanks,
Cody

---

first question: My question is
As you shared oauth need direct credentials entry so if karan want to get data from my account in service m8, I have to login to service m8 first then to my crm app, is this correct?
What if I log of from service m8 do my crm still get real time data without database?
What if I want some sub admin to see my data from crm app do I show them live data or only saved token in database? What if my sub-admin are service m8 users also do they able to get their dashboard data without client id and secret id save in code for each account differently?

Second question: Regarding Authentication options;

do api key feature is under oauth? What if in future I want to post data in service m8 api key work? Is this secured?

Third question: App Approval Process:

have already created developer addon in my account and getting the client id and secret id now what are next steps as I have hosting also? What is the template of app approval process
What I upload in addon manifesto
And from where I get addon authentication url

and last question:

When I login to my servicem8 in one system(Laptop or device) and then able to get data to my crm web app. When I login to my crm web app in other device(laptop or device), it stop data in my first system. Is there any way that my crm web app able to get multiple devices real-time data pull?