Tredict Partner API - Documentation

The Partner API is intended for companies that want to register their users with Tredict in order to assign them training plans and Tredict write access rights. Companies manage their own billing system, but integrate Tredict for the distribution of training plans.

Contact

If you are interested in the Partner API, please send us an email and we will take the necessary steps to assign you access.

partner@tredict.com

Onboarding of athletes

Athlete onboarding allows you, as a partner, to direct users to the Tredict user registration form and automatically link the user to your Tredict partner account in a secure and privacy-compliant way. Alternatively, existing user accounts can also be linked to the partner account.

If the user is linked to the partner account, the user will be authorised to access the partner's training plans and will automatically be assigned monthly Tredict write access, which Tredict will bill via the partner.

Procedure

The registration of a new Tredict user by the partner account is done by a 2-way handshake.

The partner requests a private and public code from the API for user registration, which are stored on the partner side in the backend. The Tredict user registration form is then called up with the public code. Once the user has registered, Tredict then redirects to a landing page of the partner and transfers the private code and the identification number of the newly or already registered user as parameters. The partner can now synchronise the private code, assign it to their athlete and save the Tredict user identification number.

Advantages of the 2-way handshake procedure:

  1. The partner has no knowledge of the user's access data.

GDPR compliance is guaranteed by Tredict. No contract for commissioned data processing needs to be concluded between the partner and Tredict. The partner does not need to take any additional security precautions.

  1. The registration form on the Tredict website is used.

All validation steps, such as password security or agreement to the Tredict terms of use and data protection policy, take place at Tredict.

  1. Protection against faulty or intentionally damaging processes.

If the partner API access data is stolen, it is more difficult for attackers to carry out malicious automated actions, as the handshake involves a human factor.

Flow

  • Generate the handshake codes by calling init-register-handshake and save the response on your server.

  • Direct the athlete to the Tredict registration form and pass the received registerCode as a parameter.

    https://staging.tredict.com/register/?registerCode=vrQc4sFaJGbpoga4AjuanC

    If the user is not yet registered, the registration form will now be displayed. If the user is registered and logged in, they will be asked whether they would now like to link to the partner account.

  • Upon successful registration, your landing page that you specified when registering your partner account is called. The authorisationCode that you saved when initialising the handshake is transmitted as a parameter. Now compare the code to see if it matches. If not, then it is not an authorised response! The userId of the Tredict user is passed as the second parameter. Save this. You need this to activate or remove the connection to the user account.

    If the connection is successful, your landing page will be called with these parameters:
    https://www.yourlandingpage.com/hallo-user/?authorizationCode=9WXeX4kUBQrMrHHoTAKSAn&userId=aEen1VF4

    In the event of an unforeseen error, the landing page is called with an error parameter:
    https://www.yourlandingpage.com/hallo-user/?error=could_not_connect_athlete_to_partner&userId=aEen1VF4

  • Activate the user with activate-user so that they are automatically assigned write access and can access your training plans. The monthly automatically assigned write access will be charged to the partner account under the negotiated conditions.

Endpoints

For every request to an endpoint, the Authorization header must be set, to which you transfer the partner client credentials. You will receive these from us.

The credentials are composed of clientId and clientSecret with a colon and are then encoded with Base64.

Example request:

Node.js

const base64_partner_credentials = Buffer.from(`${clientId}:${clientSecret}`).toString("base64");

const response = await fetch(`https://staging.tredict.com/user/partner/init-register-handshake`, {   headers: {     'Authorization': `Basic ${base64_partner_credentials}`,   }, });
const handshake_codes = response.json();

PHP WordPress

$response = wp_remote_request(
  'https://staging.tredict.com/user/partner/init-register-handshake',
  array(
    'method'  => 'GET',
    'headers' => array(
      'Authorization' => 'Basic ' . base64_encode( $clientId . ':' . $clientSecret )
    ),
  )
);
echo wp_remote_retrieve_body( $response );

Register user - Generate handshake codes

GET https://staging.tredict.com/user/partner/init-register-handshake

Request headers:

  • Authorization: Basic ${base64_partner_credentials}
  • Accept: application/json;charset=UTF-8

Response JSON object entries:

  • registerCode: This code must be passed as a parameter to the Tredict user registration form.
  • authorizationCode: This code is returned as a parameter to the partner landing page after the user has successfully registered.
  • expiresAt: Expiry of the code pair as an ISO date character string. The code pair has a validity of one hour.

Response JSON example:

{
  "registerCode": "vrQc4sFaJGbpoga4AjuanC",
  "authorizationCode": "9WXeX4kUBQrMrHHoTAKSAn",
  "expiresAt": "2023-12-29T15:30:39.008Z",
}

Status return codes:

  • 200: Request could be processed successfully.
  • 401: Invalid authorization header.
  • 429: Too many requests.
  • 500: Something went wrong on our side.
  • 503: Sorry, we went to the pub.

Activate user

By activating the user, the user is automatically assigned monthly write access and has access to all training plans in the partner account. The activation must be carried out after a new registration and the adjustment of the authorisationCode. The assigned write access will be invoiced under the negotiated conditions.

GET https://staging.tredict.com/user/partner/activate-user/${userId}

Request headers:

  • Authorization: Basic ${base64_partner_credentials}

Request path parameter:

  • userId: The user identification number of the user to be activated. This was transferred when the user was registered.

Status return codes:

  • 200: Request could be processed successfully. User got activated.
  • 400: Bad parameter given.
  • 401: Invalid authorization header.
  • 403: No handshake was executed.
  • 404: User could not be found.
  • 429: Too many requests.
  • 500: Something went wrong on our side.
  • 503: Sorry, we went to the pub.

Remove user

The connection of the user account to the partner is completely removed. Write access is no longer billed and assigned via the partner account. To reconnect the user, onboarding must be carried out again.

DELETE https://staging.tredict.com/user/partner/remove-user/${userId}

Request headers:

  • Authorization: Basic ${base64_partner_credentials}

Request path parameter:

  • userId: The user identification number of the user to be removed. This was transferred when the user was registered.

Status return codes:

  • 200: Request could be processed successfully. User got disconnected.
  • 400: Bad parameter given.
  • 401: Invalid authorization header.
  • 404: User could not be found or is already removed.
  • 429: Too many requests.
  • 500: Something went wrong on our side.
  • 503: Sorry, we went to the pub.

Show user event list

Returns an object of all users who are or were connected to the partner account.

GET https://staging.tredict.com/user/partner/event-list

Request headers:

  • Authorization: Basic ${base64_partner_credentials}

Response JSON example:

{
  "j6rJEmsr8": {
    "activationDates": [ "2024-01-03T19:21:40.857Z" ],
    "assignments": [{
      "months": 1,
      "assignedAt": "2024-01-03T19:21:41.857Z"
    }]
  },
  "RVQmMnmi7": {
    "activationDates": [ "2024-01-03T19:21:45.393Z" ],
    "removalDates": [ "2024-01-06T20:21:45.480Z" ],
    "assignments": [{
      "months": 1,
      "assignedAt": "2024-01-03T19:21:41.857Z"
    }, {
      "months": 1,
      "assignedAt": "2024-01-04T19:21:41.857Z"
    }]
  }
}

Status return codes:

  • 200: Request could be processed successfully.
  • 401: Invalid authorization header.
  • 429: Too many requests.
  • 500: Something went wrong on our side.
  • 503: Sorry, we went to the pub.
verfasst am 29.12.2023, 11:28:39 von Felix Gertz