The Getting Started guide and Authorization Code Flow tutorial demonstrate basic implementations of SKY API using easy-to-follow setup instructions.
See Code Samples. Our Endpoint Reference contains code samples in multiple languages.
See our Issues page for any existing issues. If you find a new issue, please contact us.
To call the SKY API, your application will need to provide two things:
Your developer subscription key - this key represents Blackbaud's permission for you to call the API, and it should be sent as part of the Bb-Api-Subscription-Key
An access token - this represents a Blackbaud customer's permission for you to access their data, and it should be sent as part of the authorization
For more information, see request headers.
In applications where you cannot maintain the confidentiality of their Application secret, the most appropriate OAuth flow to use in this case is the Authorization Code Flow with PKCE.
Browser-based (JavaScript) apps run entirely in the browser after loading the source code from a web page. Since the entire source code is available to the browser, they cannot maintain the confidentiality of their Application secret, so the secret is not used in this case.
See Authorization to learn about the OAuth flows that are supported.
Like browser-based apps, the most appropriate flow to use for a native applications (desktop and mobile devices) is the Authorization Code Flow with PKCE.
See Authorization to learn about the OAuth flows that are supported.
The SKY API doesn’t support basic authorization through username/password. Instead, obtain an access token through the Authorization Code Flow.
Authorization begins when your application redirects the user's browser to our https://app.blackbaud.com/oauth/authorize
See Authorization.
localhost
Yes. We allow you to register multiple redirect URIs with your application. For production, we require https
http
localhost
127.0.0.1
See Register your application and the Auth Code Flow tutorial.
After the user grants (or denies) access to your application, we'll redirect the browser to the URI that you passed to us when you initiated the authorization process (this URI must exactly match one of the values you registered with your application).
We also support the OAuth 2.0 state
See Authorization.
If both your access token and refresh token have expired, then you'll need to send the user back through the interactive authorization process. If your access token has expired but you have a valid refresh token, then you can simply exchange the refresh token for a new access token (and a new refresh token) non-interactively.
See Authorization.
Yes, we've enabled CORS support in the SKY API. We allow all origins (*), support the GET
PUT
POST
PATCH
DELETE
Bb-Api-Subscription-Key
authorization
accept
content-type
During the initial user-interactive authorization process, the authorization code sent to your application will expire in 5 minutes, which means you have a very short window of time in which to exchange the authorization code for an access token.
Access tokens will expire in 60 minutes, after which you can use the refresh token to obtain a new access token (and a new refresh token). For the Authorization Code Flow, refreshing an access token does not involve any user interaction, so your application can have indefinite connectivity to the SKY API once the user provides consent.
Refresh tokens are longer-lived values that will eventually expire in 365 days, using a sliding window model. As long as your application connects at least once to the SKY API within the window, it will be able to retain connectivity to the customer's data.
See Token Expiration.
Yes, you may store access tokens and refresh tokens within your application, associated with your application's concept of a user (if applicable). When the user logs in with your application's credentials, you can check to see if you have an access token for that user and adjust your application's experience accordingly. For example, you may immediately route the user through the authorization process in order to obtain an access token, or disable functionality until the user provides consent.
If your application doesn't have the notion of user credentials, you can simply direct the user to log in with their Blackbaud credentials when they log into your application. We'll provide you with the user's access token and expiration details as part of the Token response during the authorization code flow.
In any case, be sure to store access tokens and refresh tokens securely in your system so that they aren't exposed to the public.
The subscription key is associated with your developer account and must be provided as part of the Bb-Api-Subscription-Key
See Subscription.
When you obtain a subscription to the SKY API, we'll provide two keys (primary and secondary) that you can use when calling the API. Both keys are equally functional; we provide two keys to support rotation on your end.
We don't require you to rotate your subscription keys, and you can adopt whatever key rotation schedule and strategy that best fits your needs. If you do need to regenerate your subscription keys, you can do so from the My subscriptions page.
You can register your application in the My Applications area to obtain the unique ID and secret, which will be used during the authorization process to obtain an access token to call the API.
See Managing your apps.
If you believe your application's secret has been exposed, you should regenerate the secret and update your application to use the new value when calling the SKY API.
Customers always have control over whether or not an application can access their data. An administrator within the customer's organization must first enable your application before any user will be able to use it, and at any time the administrator can remove your application. If that happens, the application will not be able to obtain or refresh any access tokens to use when calling the API.
If your application is removed, users will see the following message in the authorization process:
“This application has not been approved by your administrator…”
See Authorization.