NAV
http

Overview of the RTA API

The RTA API is the gateway to data and intelligence in RTA Fleet Management software. You can use the RTA API to build apps for your organization and consumers that interact with the data in RTA Fleet Management software. With the RTA API, you can connect to a wealth of resources, relationships, and intelligence, all through a single endpoint: https://api.rtafleet.com.

Get access tokens to call the RTA API

To call the RTA API, your app must acquire an access token from Auth0, RTA's cloud identity service. The access token contains information (or claims) about your app and the permissions it has for the resources and APIs available through the RTA API. To get an access token, your app must be able to authenticate with Auth0 and be authorized by either a user or an administrator for access to the the RTA API resources it needs.

This topic provides an overview of access tokens, OAuth and how your app can get access tokens.

What is an access token and how do I use it?

Access tokens issued by OAuth are base 64 encoded JSON Web Tokens (JWT). They contain information (claims) that the RTA APIs use to validate the caller and to ensure that the caller has the proper permissions to perform the operation they're requesting. When calling the RTA API, you can treat access tokens as opaque. You should always transmit access tokens over a secure channel, such as transport layer security (HTTPS).

Here's an example of an RTA access token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9UWTVNVUk1TXpKQk9EWkdSVUU0TXpReVFURTVNRU0zTWpKQ05ESXlOa06T0VVek9URXdOdyJ9.eyJodHRwczovL2FwaS5ydGFmbGVldC5jb20vYXBwX21ldGFkYXRhIjp7InRlbmFudElkIjoiUlRBMDEyNjciLCJpZCI6Ikx1VUxUYU9CcTJhcjJzRlBiaHJMRmVROElQcklVNFoyIiwiaXNNYWNoaW5lMk1hY2hpbmUiOnRydWUsImRlc2t0b3BVc2VybmFtZSI6InN5c3RlbSJ9LCJpc3MiOiJodHRwczovL2Rldi1ydGEuYXV0aDAuY29tLyIsInN1YiI6Ix1VUxUYU9CcTJhcjJzRlBiaHJMRmVROElQcklVNFoyQGNsaWVudHMiLCJhdWQiOiJodHRwczovL3N0Zy5hcGkucnRhaGl2ZS5jb20iLCJpYXQiOjE1NDQ3MTUwNDYsImV4cCI6MTU0NzMwNzA0NiwiYXpwIjoiTHVVTFRhT0JxMmFyMnNGUGJockxGZVE4SVBySVU0WjIiLCJzY29wZSI6InBhcnRzOnZpZXciLCJndHkiOiJjbGllbnQtY3JlZGVudGlhbHMifQ.izNktviwQnmj4yl5mrXLvmdRNyRfJste6fryhmtmEtNacY3ehgEilrrjfpBAgqAhqV8efuB9nkO2x27Bn-P76RHaFYUd5bWHveNCcwRkyLrj51C9_EENpzsjhh1_PU1cDaG15Ruil0LunM_4zSJ_4XIaipHwdDtBx5LatSLqcf5yy2YsKD9pKDfSmIxkYkpiJz_xyUKFW96H45n2cXlgGFoz 2j8skLZITVKQwFp1yJ_CfxmlTkJZ9ZQIQpWUd2PVtzCVCNDq26FJbnJjKX45UhwSw3wb5v-S5sRkDzQl4WYDbRfAf3bCmPmpFrSstp2uvw3_CMvirENT2NE0KPIuGQ

HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJKV1QiLC ... CMvirENT2NE0KPIuGQ
Host: api.rtafleet.com
POST /graphql HTTP/1.1
{ "query": "{ getMe { id } }"}

To call the RTA API, you attach the access token as a Bearer token to the Authorization header in an HTTP request. For example, here's a call that returns the profile information of the signed-in user (the access token has been truncated for readability)

What are the RTA API permissions?

The RTA API exposes a rich set of granular permissions over the resources it controls. These permissions are expressed as strings and grant apps access to the RTA API resources like vehicles, parts, work orders, purchase orders, etc. For example:

There are two types of permissions:

For a complete list of the RTA API permissions, as well as the differences between delegated and application permissions, see the Permissions reference.

Where does my app get an access token?

Your app gets access tokens from Auth0, RTA's cloud identity service. To get an access token, your app exchanges HTTP requests and responses with Auth0 using industry-standard protocols defined in the OAuth 2.0 specification. These protocols describe the Auth0 endpoints and exchanges with them -- or authentication flows -- that your app uses to securely authenticate with Auth0 and get access tokens.

On a very simple level, to get an access token, your app exchanges HTTP requests with the following endpoints:

The /authorize endpoint, where your app can send a user to authenticate with Auth0 and consent to the permissions your app needs. The /token endpoint where your app can get an access token once user consent has been granted. (Note: These definitions are not rigid. Depending on the protocol your app uses, it may get access tokens directly from the /authorize endpoint or it may authenticate directly with the /token endpoint.)

Here's an example of one set of the /authorize and /token endpoints exposed by Auth0:

Register your app with the RTA API

Your app must be registered with RTA. Registering your app establishes a unique application ID and other values that your app uses to authenticate with Auth0 and get tokens. You register your app by creating an API Key on the RTA Web App. More info can also be found here Depending on the type of app you are developing, you will need to copy one or more properties during registration to use when you configure authentication and authorization for your app.

Get access without a user

Some apps call the RTA API with their own identity and not on behalf of a user. In many cases, these are background services or daemons that run on a server without the presence of a signed-in user. An example of such an app might be a data extraction service that wakes up and runs overnight. In some cases, apps that have a signed-in user present may also need to call the RTA API under their own identity. For example, an app may need to use functionality that requires more elevated privileges in an organization than those carried by the signed-in user.

Apps that call the RTA API with their own identity use the OAuth 2.0 client credentials grant flow to get access tokens from Auth0. In this topic, we will walk through the basic steps to configure a service and use the OAuth client credentials grant flow to get an access token.

Authentication and authorization steps

The basic steps required to configure a service and get a token from the Azure AD v2.0 endpoint that your service can use to call the RTA API under its own identity are:

  1. Register your app.
  2. Configure permissions for the RTA API on your app.
  3. Get an access token.
  4. Use the access token to call the RTA API.

Get an access token

In the OAuth 2.0 client credentials grant flow, you use the Application ID and Application Secret values that you saved when you registered your app to request an access token directly from the Azure AD v2.0 /token endpoint.

Get access token

POST /oauth/token HTTP/1.1
Host: rta.auth0.com
Content-Type: application/json
cache-control: no-cache
{
  "audience": "https://api.rtafleet.com",
  "grant_type": "client_credentials",
  "client_id": "LuULTaO2sFPbhrLFe...PrIU4Z2",
  "client_secret": "jsAt0vbpF3...Gqu-LYMOq0y7tYOrFyKABDovFMuZMMCfgIB"
}

You send a POST request to the /token endpoint to acquire an access token.

A successful response looks like this:

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9UWTVNVUk1TXpKQk9EWkdSVUU...",
  "scope": "parts:view",
  "expires_in": 2592000,
  "token_type": "Bearer"
}

A successful response contains the following:

Supported app scenarios and resources

Apps that call the RTA API under their own identity fall into one of two categories:

Permissions

Permissions in RTA are enforced based on Application identity accessing the API. A list of applications can be found in the RTA Web App when editing an API Key here

Code Samples

Code samples that demonstrate using the RTA API are available in the RTA Developer Samples GitHub repository.

Use the RTA API

The RTA API is a GraphQL web API that enables you to access RTA API service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the RTA API.

https://api.rtafleet.com/graphql

Request body format

{
  "query": "...",
  "operationName": "...",
  "variables": { "myVariable": "someValue", ... }
}

The components of a request include:

After you make a request, a response is returned that includes:

Response data format

{
  "data": { ... },
  "errors": [ ... ]
}

A query might result in some data and some errors, and those should be returned in a JSON object of the form:

If there were no errors returned, the "errors" field should not be present on the response.

Sample request and response to retrieve user profile and permissions

Request

query fetchMe {
  getMe {
    id
    status{
      code
      state
    }
    permissions {
      tenantId
      facilityId
      permission
    }
    tenants {
      id
      name
      roles {
        id
      }
    }
  }
}

Response

{
  "data": {
    "getMe": {
      "id": "LuULTaOBq2ar2rLFeQ8IPrIU4Z2",
      "status": null,
      "permissions": [],
      "tenants": [
        {
          "id": "RTA99999",
          "name": "RTA Sample Customer",
          "roles": []
        }
      ]
    }
  }
}

Exploring the GraphQL Schema

  1. Download and install the appropriate GraphQL Playground app for your operating system from https://github.com/prisma/graphql-playground/releases.
  2. Run the GraphQL Playground app.
  3. Select URL ENDPOINT and enter the Endpoint url for the RTA API: https://api.rtafleet.com/graphql.

Exploring the Docs

On the right side of GraphQL Playground, you will find a tab called DOCS which you an use to explore the queries and mutations available in the RTA API.

Examples

Example 1: Querying basic tenant information

Request

{
  getTenant(input: { id: "RTACAN01" }) {
    id
    name
    entitlements
  }
}

This sample demonstrates how to retrieve basic tenant information. Notice how GraphQL allows the developer to specify the exact data required in the response.

Response

{
  "data": {
    "getTenant": {
      "id": "RTACAN01",
      "name": "RTA Canary 01",
      "entitlements": null
    }
  }
}

Errors

{
  "data": { ... },
  "errors": [ ... ]
}

The RTA API returns error information as part of the response. A query might result in some data and some errors, and those should be returned in a JSON object of the form shown at the right.

Sample invalid request

query {
  getParts(input: {tenantId: "INVALID_ID", facilityId: "200"}) {
    parts {
      id
      partNumber
    }
  }
}

If there were no errors returned, the "errors" field will not be present on the response.

Field Description
message The error message.
extensions Additional information about the error.
exception Exception/Error details.
requiredPermission The permission required to execute the requested operation.

Sample error response

{
  "data": null,
  "errors": [
    {
      "message": "Missing required \"parts:view\" permission.",
      "locations": [
        {
          "line": 2,
          "column": 3
        }
      ],
      "path": [
        "getParts"
      ],
      "extensions": {
        "code": "API.MISSING_PERMISSION_PARTS_VIEW",
        "exception": {
          "code": "API.MISSING_PERMISSION_PARTS_VIEW",
          "type": "MISSING_REQUIRED_PERMISSION",
          "description": "Missing required \"parts:view\" permission.",
          "tokens": {
            "requiredPermission": "parts:view"
          },
          "ctx": {
            "awsRequestId": "a1772866-ffbe-11e8-bd7e-b91d02e81301",
            "correlationId": "a15b14c4-ffbe-11e8-bc70-19caf995b12d",
            "info": {
              "getPartsGraphql": "2018-12-14T16:38:05+00:00",
              "fetchPartsApi": "2018-12-14T16:38:05+00:00"
            }
          }
        }
      }
    }
  ]
}

Paging

Paging of records is handled as part of the request to any of the plural methods in the RTA API using the queryOptions.pagination element in the GraphQL query.

When a response is returned, a set of meta data is supplied which provides additional pagination information indicating the current page, totalPages, totalRecords, current offset and current limit

Terms

Term Meaning
offset The number of records to skip. This is a zero-based number meaning that the first record is represented by the number 0; the tenth record by the number 9.
limit The maximum number of records to return in the query.
page The current page number.
totalPages The total number of pages given the current limit.
totalRecords The total number of records available.

Paged result request

query {
  getParts(input: {
      tenantId: "RTA99999",
      facilityId: "200",
      queryOptions: {
          pagination: {
              offset: 0,
              limit: 50
              }
        }
    }) {
    parts {
      id
      partNumber
      description
      meanCost
      sellingPrice
    }
    meta {
      page
      totalPages
      totalRecords
      offset
      limit
      sort {
        sortBy
        sortOrder
      }
      searchMeta {
        id
        relevancy
      }
    }
  }
}

Response, results truncated for brevity

{
  "data": {
    "getParts": {
      "parts": [
        {
          "id": "00096F4A5EB1A82C67F6BD8DFE9744BB",
          "partNumber": "10W30",
          "description": "10W30 Motor Oil",
          "meanCost": 2.43,
          "sellingPrice": 3.43
        },
        {
          "id": "000A87043FAC8438CDF312974E95CCB2",
          "partNumber": "D1770",
          "description": "Brake Pads - Front",
          "meanCost": 21.5,
          "sellingPrice": 37.99
        }
        ...
      ],
      "meta": {
        "page": 1,
        "totalPages": 74,
        "totalRecords": 3698,
        "offset": 0,
        "limit": 50,
        "sort": {
          "sortBy": "id",
          "sortOrder": "asc"
        },
        "searchMeta": null
      }
    }
  }
}

Extracting data from RTA

RTA has built a simple REST API for extracting useful data directly from the RTA database. This is useful for customers who need direct access to the raw, unformatted data for use in data warehousing and other utility projects.

The data returned represents the actual physical column names in the database.

The data extract API can be used by first obtaining an access token as descrbed in this documentation. The access token is then used as a bearer token in the authorization header.

Required Permission

A special API permission has been created to allow use of the data extract API. We recommend tighly controlling and securing the client id and client secret when granted this permission because anyone with these credentials will have full read access to all of the data in your database.

Permission Name Description
api:extractTable gives full read access to all tables in the customer database

URL format of the extract API

Use the following URL to access the data extract API.

URL: https://api.rtafleet.com/v0/extract/<tablename>?etag=<etag>&limit=<limit>

Field Description
tablename The name of the actual table in the RTA database. To obtain the table names you may request the data dictionary by contacting support@rtafleet.com
etag The first etag value to return
limit limit is not required, has a max of 1000 and defaults to 1000. If you choose to get your data in increments of 100, you could set limit=100.

Examples calling the API

See the example at the right for the format of the data returned from the API.

The resulting object is:

{
    "count": 1000,
    "value" : [the rows from the table sorted by etag],
     "nextEtag" : "12344"
}

where nextEtag would be the very next etag value to use. nextEtag is not returned if you have received all the rows in the table.

Retreive the first 1000 records

Example retrieving records from vehfile

curl --request GET \
  --url "https://api.rtafleet.com/v0/extract/vehfile?etag=0&limit=1000" \
  --header "authorization: Bearer $AUTH_TOKEN"

Sample reponse from vehfile

{
    "count":"1000",
    "value":[
        {FIRST RECORD IN TABLE},
        ...,
        {1000th RECORD IN TABLE}
    ],
    "nextEtag":"12345"
}

See the example CURL request at the right to retrieve the first 1000 records from the vehilces table vehfile.

Retrieve any rows modified since the etag 12345

Sample request with etag

curl --request GET \
  --url "https://api.rtafleet.com/v0/extract/vehfile?etag=12345&limit=1000" \
  --header "authorization: Bearer $AUTH_TOKEN"

Sample response without nextEtag

{
    "count":"50",
    "value":[
        {1001th RECORD IN TABLE},
        ...,
        {1051th RECORD IN TABLE}
    ]
}

See the example CURL request at the right to retrieve anything that has been created or modified since the etag of 12345 has been retrieved.

Because nextEtag was not returned, there are no more rows to retrieve.

Errors in the data extract API

If you supply an invalid tablename, you will receive a 404 error.