SmugMug API
Tutorial
API Concepts
Advanced
- Optimizing response sizes
- Expanding related data
- Configuring expansions
- Rate Limits
- Method and Content Overrides
- Performance Metrics
- Multi-get
- Options requests
Live API Browser
Reference
OAuth FAQ
If you have questions about OAuth, or are having trouble getting it to work, you might find an answer to your question here. If not, you can email us and we will help you out.
Why does my request fail with "The user has not granted the required permissions
"?
When you request authorization to access a SmugMug user's account (by
redirecting them to the /authorize
endpoint), you are also requesting a
specific level of access. There are two query
parameters which can be added to the /authorize
URL
to change the level of access being requested.
If you don't send one or both of those parameters, you get the default level instead. In both cases, the default is the lowest level, so if you are getting the default level unintentionally, it may be a lower level of access than your application needs to work.
Also, note that once the user has granted authorization to your application, you can't change the level of access by making a new authorization request. At that point, only the user can change the level of access, which they can do in Account Settings.
Why does my request fail with "oauth_problem=parameter_absent
"?
There are many required parameters when making an OAuth request, and you will
see this message if any of them are missing. However, the most common cause of
this problem is the result of the difference between the two revisions of the
OAuth 1.0 standard. The two versions are called 1.0
and 1.0a
. Note that RFC
5849 is the same as OAuth 1.0a, even though the title of the RFC is just "OAuth
1.0".
We highly recommend that you use OAuth 1.0a. If you are using the 1.0a
endpoints, then you must pass an oauth_callback
parameter to the
getRequestToken
endpoint. If you are porting code
that used OAuth 1.0, it may not be sending an oauth_callback
parameter, which
would cause the error parameter_absent
.
Why is the authorization page not redirecting back to my application like it should?
If you find that clicking the "Authorize" button on the authorization page
appears to do nothing, you are probably trying to pass your callback URL
dynamically via an oauth_callback
parameter to the deprecated OAuth 1.0
getRequestToken
endpoint. For security reasons, SmugMug does not allow
dynamic callbacks when using OAuth 1.0. You can solve this problem by
switching to OAuth 1.0a.
Why does my request fail with "oauth_problem=signature_invalid
"?
OAuth requests are signed to catch problems that corrupt your request, such as network errors or man-in-the-middle attacks. The signature you calculate must match the signature that SmugMug calculates, or the request fails.
The signing algorithm must be followed precisely, because even a small difference in the input to the algorithm will result in a different signature. For this reason, we highly recommend that you use an off-the-shelf library to make your OAuth requests.
If you are having trouble with signatures, here are some things to check:
- Is your
oauth_signature
being percent-encoded? OAuth signatures use base64 encoding, which can produce some special characters that need to be percent-encoded in theAuthorization
header or in the URL query string. - Does your request URI have an empty path? In the case of SmugMug, this would
probably be
https://upload.smugmug.com
. If so, use/
as the path instead:https://upload.smugmug.com/
. - Does your request URI have any uppercase letters in the hostname? If so,
change them to lowercase. For example, you should change
https://api.SmugMug.com/api/v2
tohttps://api.smugmug.com/api/v2
. - Are you making a
POST
orPATCH
request? If so, are you sending the rightContent-Type
header? For example, if you are sending JSON in the request body, theContent-Type
header should beapplication/json
.