Hello everyone,
background: I'm new to Magento as I haven't used it before, but I've read through most of the API documentation now. I have an online dashboard application with various widgets that are different API integrations. We mostly read data from APIs to display to our users in a way that they find useful such as various charts. Many of our users have been requesting a new Magento widget.
question(s): I see the API has many different uses after reading through documentation and other posts in forums, but I'm still confused on a couple things. I see to develop and test an API integration we will need to download Magento with sample data. I have done this but haven't got the web server setup because I had a couple questions come to mind and I didn't want to waste time on something that wouldn't work as I had expected. Will the API allow each one our users to authenticate to their own Magento data? I want to make sure the API isn't just for developing within a users own company. Our company isn't interested in currently using Magento, but our users want to give us access to their data via API so we can read the data and end up displaying the data in charts so they can easily see trends and stuff like that. If the API doesn't support that just let me know and you don't need to answer my next question!
https://devdocs.magento.com/guides/v2.3/get-started/authentication/gs-authentication-oauth.html Here I see that the authentication flow is different that how most of our integrations work. Normally our users add a new widget to their dashboard and then configure the widget. If the integration uses oauth the user will click "Add Account" which sends a request to API endpoint and then user will sign into integration account via Oauth and data needed to make requests are returned. With your API it seems the authentication starts on your end after a user creates an integration within admin panel and then that's sent to given URLs. How would I know which of our users this information belongs to? Even if this isn't how we normally setup widgets I think we could find a way to make this work, but it seems that there's nothing unique being sent in the request to let us know which user this consumer key and secret would belong to. That is what brought up my first question I mentioned earlier.
Please let me know if you need any more information or clarification for what I said. Thank you for your time!