As you integrate ROOK into your applications, understanding how we handle data authorization is key. While ROOK does not directly use OAuth, we employ secure and robust methods to ensure your users' data is accessed with proper consent and protection. This article will clarify how ROOK manages authorization and why it's designed this way.
Why ROOK doesn't use OAuth
While OAuth is a popular industry standard for authorization, ROOK has implemented its own approach to meet specific needs and provide a seamless user experience. Instead of relying on a generalized OAuth flow, ROOK utilizes a combination of API endpoints and SDKs to manage data authorization. This approach allows for more control over the data and ensures we can deliver consistent and reliable results to our clients.
How ROOK Handles Data Authorization
ROOK uses two primary methods for data authorization:
API-Based Data Sources: For platforms like Fitbit, Garmin, and Oura, ROOK uses a custom authorization flow.
The /authorizers Endpoint: Clients use the /authorizers endpoint to retrieve the necessary information for creating a custom connections page or app view. This endpoint provides details including the name, description, logo, and authorization URL for each data source.
Custom Connections Page: In production, clients are responsible for building their own user interface to handle authorizations. This page uses the authorization URLs received from the /authorizers endpoint.
Authorization Process: When a user attempts to connect a data source, they are redirected to the data provider’s authorization page using the authorization URL. Once the user grants permission, they are redirected back to the client’s app or website via a redirect URL.
Sandbox Testing: ROOK provides a pre-configured Connections Page for sandbox testing. This simplifies the initial integration, though it's not meant for production use.
Mobile-Based Data Sources: For platforms like Apple Health and Health Connect, ROOK uses SDKs and the ROOK Extraction App for authorization.
SDK Integration: Clients can use ROOK's SDKs to invoke authorization popups directly within their mobile applications. These popups allow users to grant access to their health data.
ROOK Extraction App: Alternatively, clients can use the ROOK Extraction App, a pre-built solution for collecting data from mobile-based sources without the need for custom mobile app development. The Extraction App simplifies the process, using a QR code to initiate the authorization and extraction process.
Key Features of ROOK's Authorization Approach
Flexibility: ROOK provides a variety of tools to support different integration needs, including mobile and API-based approaches.
Control: Clients have full control over the presentation and user flow of the authorization process.
Security: While ROOK does not use OAuth directly, all data transmissions are secured using industry-standard practices, including HMAC validation.
Customization: Clients can tailor the user experience of the authorization process to match their branding and application design.
Efficiency: The ROOK approach optimizes the process to ensure efficient and effective data collection.
Benefits of ROOK's Method
Seamless integration: The process is made as easy as possible for our clients by providing both pre-built solutions, such as the Connections Page and Extraction App, as well as API endpoints for custom integrations.
Data Protection: User data is protected through every step of the process, ensuring a secure transfer and delivery of data.
Standardized data delivery: ROOK delivers data using standard JSON schemas, which simplifies integration into existing systems.
Conclusion
While ROOK does not use OAuth, our authorization mechanisms provide robust security and customization capabilities. By using our /authorizers endpoint, the ROOK SDKs, or the ROOK Extraction App, our clients can efficiently manage user authorizations and access the data they need. These methods are designed to offer a secure, reliable, and flexible solution for all your data integration needs.