Client-Deployment of The BlackLine Public API - v1.7
Client-Deployment of The BlackLine Public API - v1.7
DISCLAIMER. The information in this document is for general guidance only. In no event will BlackLine or the partners or employees thereof be
liable to you or anyone else for any decision made or action taken in reliance on the information in this document.
The contents of this document are confidential; for internal use by BlackLine clients, partners and staff only.
Confidential
Table of Contents
List of Illustrations ....................................................................................................................................3
Revision History.............................................................................................Error! Bookmark not defined.
BlackLine Public API Overview ...................................................................................................................3
Web Service Architecture..........................................................................................................................4
Features ...............................................................................................................................................4
For the API Client/Developer .....................................................................................................................4
What is the overall process to setup your API access account? ................................................................5
How do you start using our APIs?...........................................................................................................5
How does a developer work with our APIs? ............................................................................................5
How do authentication and authorization work? ....................................................................................6
API Types .................................................................................................................................................6
Security Architecture ................................................................................................................................6
Transport Level Security ........................................................................................................................7
Security Authentication Processing Sequence.............................................................................................8
Client’s System Administrator: Setting up a user for API access ...................................................................9
Authentication REST API Details .............................................................................................................. 12
Route Summary...................................................................................................................................... 13
Route Specifications............................................................................................................................ 13
Rate and Size Limits ................................................................................................................................ 14
Message Rate Limiting ........................................................................................................................ 14
Message Payload Limiting (POST operation: /authorize/connect/token)................................................ 14
HTTP Status Error Codes ......................................................................................................................... 14
Reporting REST API Details ...................................................................................................................... 16
Route Summary...................................................................................................................................... 18
Route Specifications ............................................................................................................................ 19
Rate and Size Limits ................................................................................................................................ 19
Message Rate Limiting ........................................................................................................................ 19
HTTP Status Error Codes ......................................................................................................................... 19
Tasks REST API Details............................................................................................................................. 20
Route Summary...................................................................................................................................... 21
Route Specifications ............................................................................................................................ 21
Message Payload Limiting (POST operation: /tasks/import) .................................................................. 21
HTTP Status Error Codes ......................................................................................................................... 22
Message Payload .................................................................................................................................... 22
FAQ’s ..................................................................................................................................................... 23
@ BlackLine 2017. All rights reserved. Public API User Guide Page 2
Confidential
List of Illustrations
Figure 1. BlackLine Public API Product Family .............................................................................................4
Figure 2. Web Service Architecture Block Diagram ......................................................................................4
Figure 3. Relationship between a BlackLine API consumer, STS and Public API ..............................................7
Figure 4. STS Authentication Processing Sequence......................................................................................9
Figure 5. As a System Administrator, Navigate to the Users Admin Grid ..................................................... 10
Figure 6. Click the edit icon for the user to whom you wish to extend API access ........................................ 10
Figure 7. Granting API Role Access AND generating an API Key .................................................................. 11
Figure 8. Authorization API Header with Client Secret in Postman ............................................................. 12
Figure 9 Sample Task API message payload containing required fields ....................................................... 13
Figure 10. Authentication API response in Postman .................................................................................. 13
Figure 11. Inserting the Authentication Key into the OAuth2 Authorization Header in Postman for the Report
List service ............................................................................................................................................. 16
Figure 12. Report List API response in Postman ........................................................................................ 16
Figure 13. Inserting the Authentication Key into the OAuth2 Authorization Header in Postman for the Report
Data service ........................................................................................................................................... 17
Figure 14. Report Data API response in Postman for a CSV export type ...................................................... 17
Figure 15. Inserting the API Key into the OAuth2 Authorization Header in Postman .................................... 20
Figure 16. Postman view of the body of the message ................................................................................ 20
Figure 17. JSON content of Task Message................................................................................................. 23
@ BlackLine 2017. All rights reserved. Public API User Guide Page 3
Confidential
Features
• API Rate Limiting - Rate limits are divided into specific windows or intervals.
• Complete API documentation - All of our routes, product functionality (resources), message
schemas, HTTP status codes, and code samples are posted on the BlackLine API Developer
Portal.
• Standards-based security: Our services utilize the OAuth 2.0 protocol for authenticating your
REST calls using OAuth 2.0. Our OAuth tokens are claims based.
• All requests are made over HTTPS. Out network communication is over TLS 1.2.
• All responses are in JSON.
@ BlackLine 2017. All rights reserved. Public API User Guide Page 4
Confidential
using our APIs, we made the process as straight-forward as possible. Answers to some common questions
are:
What is the overall process to setup your API access account?
1. Initially, BlackLine sets up your BlackLine instance (i.e., your BlackLine software environment) with
the necessary database and security preliminaries to accommodate API users.
2. Consequently, during an integration phone call, you work with BlackLine’s integration team to
configure your API account security. Your company will be granted access to the BlackLine Public
API Management Portal to manage your API account with us.
3. Your company’s designated System Administrator will select each user who will need access to the
API(s), and will
a. Activate the API role for each API (e.g., Tasks or Reporting)
b. Generate an API key (also known as a “client secret”). This key is used to authenticate with
the BlackLine Security Token Service (STS) to authenticate and receive OAuth 2.0
claims-based tokens.
Note: Steps 1 and 2 comprise a one-time setup process. You, as a System Administrator, manage
Step 3 to administer client secrets (i.e., to issue, revoke or re-issue API keys).
@ BlackLine 2017. All rights reserved. Public API User Guide Page 5
Confidential
grant_type = “password”
scope = [API Type] + “API “ + [Client_ID] (Client ID provided by the integration team)
username = BlackLine Application Username (based on users selected to use API)
password = BlackLine User API Key (self service within Application)
client_secret (provided by the integration team)
API Types
The following API Types are currently supported:
Tasks
Reports
Security Architecture
To support maximum secure communications between customers and partners, BlackLine's Public API
implements both transport and message level security. This approach is chosen to protect the integrity of
the message during in-flight transmission (transport security) and authenticity of requests (message
security).
The BlackLine Security Token Service (STS) is an application service whose primary purpose is to act as an
identity provider responsible to create, sign, issue and verify security tokens as part of a claims-based
identity system.
Our STS has multiple responsibilities, including:
• Authentication of users.
• Manage and authenticate principals (i.e., claims).
• Issue OAuth 2.0 tokens to API consumers.
• Validate tokens.
The following deployment diagram below illustrates the interrelationship between an API consumer,
BlackLine STS, and the BlackLine Public API.
@ BlackLine 2017. All rights reserved. Public API User Guide Page 6
Confidential
Figure 3. Relationship between a BlackLine API consumer, STS and Public API
@ BlackLine 2017. All rights reserved. Public API User Guide Page 7
Confidential
Step Description
1 API consumer executes an HTTP/S POST to the BlackLine Security Token Service (STS). The consumer
(client) is required to pass the following:
Authorization Header
Client Secret = integration team will provide this initially
Query String Parameters
Grant Type = “password”
Scope = [API Type] + “API “ + Client ID
2 The STS will authenticate the data passed to it from the consumer, and if the credentials are valid,
the STS will return an OAuth 2.0 token back to the consumer via the response message Authorization
Header. The token is used for subsequent communication with the Public API.
3 API consumer initiates an HTTP/S operation to the BlackLine Public API passing the OAuth token
(received at step 2) to a published API endpoint. Note that this call is over TLS 1.2 and must be
transmitted to a BlackLine firewall white listed IP range.
4, 5 The Public API will take the token passed to it from the consumer and subsequently validate the
token regarding its authenticity. If the token is valid, the API will process the consumer's request.
@ BlackLine 2017. All rights reserved. Public API User Guide Page 8
Confidential
Step Description
1 API consumer executes an HTTP/S POST to the BlackLine Security Token Service (STS). The consumer
(client) is required to pass the following:
Authorization Header
Client Secret = integration team will provide this initially
Query String Parameters
Grant Type = “password”
Scope = [API Type] + “API “ + Client ID
2 The STS will authenticate the data passed to it from the consumer, and if the credentials are valid,
the STS will return an OAuth 2.0 token back to the consumer via the response message Authorization
Header. The token is used for subsequent communication with the Public API.
3 API consumer initiates an HTTP/S operation to the BlackLine Public API passing the OAuth token
(received at step 2) to a published API endpoint. Note that this call is over TLS 1.2 and must be
transmitted to a BlackLine firewall white listed IP range.
4, 5 The Public API will take the token passed to it from the consumer and subsequently validate the
token regarding its authenticity. If the token is valid, the API will process the consumer's request.
@ BlackLine 2017. All rights reserved. Public API User Guide Page 9
Confidential
Authorization is done per-user, and for each user, per Application. “API Access” is treated as a role so that
API use is not role-specific to other roles, but rather is itself a role. In addition to being authorized to the API
role, the user must be authorized for each BlackLine Application in which the user will touch the API.
(BlackLine’s first developed an API for “Tasks,” and next “Reporting;” Eventually more BlackLine products
will be equipped with API access.)
To set this up, the Administrator must navigate to the System → Users → Users Admin Grid.
Then click the pencil icon ( ) to edit the user to whom API access is to be granted.
Figure 6. Click the edit icon for the user to whom you wish to extend API access
Then click to select the API Access in the checkbox closest to the API Access Role, as well as the one(s)
aligned with the product(s) to which API Access is being granted for this user. In the example below, only the
Task API is available to be activated, and we show it selected.
@ BlackLine 2017. All rights reserved. Public API User Guide Page 10
Confidential
Click the Save button at the top of the page to record the just-made selections.
Repeat this process for any other users you wish to authorize for use of the API.
Note: API access will NOT be immediately available, but instead requires that the developer
working on the project (client’s in-house staff or BlackLine partner) first secure the proper
“tokens” from BlackLine to complete the authorization setup.
@ BlackLine 2017. All rights reserved. Public API User Guide Page 11
Confidential
@ BlackLine 2017. All rights reserved. Public API User Guide Page 12
Confidential
Route Summary
The following routes are required for communication with the BlackLine Authentication API.
POST operation
https://us2.api.blackline.com/authorize/connect/token
Authorization
Header
Route Specifications
Service Message Request/Response Guideline
Message parameters will be in JSON format unless otherwise noted. The following guidelines must be met:
@ BlackLine 2017. All rights reserved. Public API User Guide Page 13
Confidential
1. Sample metadataMust include the following the Header: required HTTP headers for JSON body:
Example: Content-Type: application/json
2. Must follow the JSON message structure as defined in this document.
3. Responses will be returned to the API consumer in JSON format.
Key Points:
The service will return an Access Token and Token Type in the HTTP message content body that are
used to authenticate subsequent API operations.
If an error is encountered, an Access Token will not be returned. Instead, an HTTP error status code
will be returned.
Authentication Response
The following is an example of the JSON response from the Tasks Import service endpointAuthentication
API:
{
"access_token": "f3001d24e7cfa75b28064ebc249715c9",
"expires_in": 3600,
"token_type": "Bearer"
}
400 Bad Request Bad request. Message was malformed or incorrect request message.
401 Not Authorized Authentication has failed or was not provided by the external API consumer. In this
event, the response will include a WWW-Authenticate header containing a
challenge related to the requested resource.
403 Forbidden User may not have necessary permission for a resource.
405 Method not allowed Request method is not support for the requested resource.
415 Unsupported media The media type is not supported by the resource server.
type
@ BlackLine 2017. All rights reserved. Public API User Guide Page 14
Confidential
429 Too many requests Too many requests made by caller to a single web service endpoint.
440 Login timeout The server is unable to validate authentication credentials within a specific
timeframe.
500 Internal server error General error message used to communicate to the API consumer that an
unexpected exception was encountered and to not expect a specific message
related to the error.
@ BlackLine 2017. All rights reserved. Public API User Guide Page 15
Confidential
Figure 11. Inserting the Authentication Key into the OAuth2 Authorization Header in Postman for the Report List service
@ BlackLine 2017. All rights reserved. Public API User Guide Page 16
Confidential
Figure 13. Inserting the Authentication Key into the OAuth2 Authorization Header in Postman for the Report Data service
Figure 14. Report Data API response in Postman for a CSV export type
@ BlackLine 2017. All rights reserved. Public API User Guide Page 17
Confidential
Route Summary
The following routes are required for communication with the BlackLine Reporting API.
GET operations
https://us2.api.blackline.com/api/queryruns
https://us2.api.blackline.com/api/completedqueryrun/{id}/{export type}
end time
id
name
notes
start time
status
message
o Excel
o PDF
CSV
Excel
PDF
o Binary stream of PDF export
format
@ BlackLine 2017. All rights reserved. Public API User Guide Page 18
Confidential
Route Specifications
Service Message Request/Response Guideline
Message parameters will be in JSON format unless otherwise noted. The following guidelines must be met:
4. Must include the following the Header: required HTTP headers for JSON body:
Example: Content-Type: application/json
5. Must follow the JSON message structure as defined in this document.
6. Responses will be returned to the API consumer in JSON format.
Key Points:
The service will return a Report Id in the HTTP message content body. The Report Id is used in the
Completed Query API with the export type in the URL to return the report data.
If an error is encountered, a Report data will not be returned. Instead, an HTTP error status code will
be returned.
400 Bad Request Bad request. Message was malformed or incorrect request message.
401 Not Authorized Authentication has failed or was not provided by the external API consumer. In this
event, the response will include a WWW-Authenticate header containing a
challenge related to the requested resource.
403 Forbidden User may not have necessary permission for a resource.
405 Method not allowed Request method is not support for the requested resource.
415 Unsupported media The media type is not supported by the resource server.
type
429 Too many requests Too many requests made by caller to a single web service endpoint.
440 Login timeout The server is unable to validate authentication credentials within a specific
timeframe.
500 Internal server error General error message used to communicate to the API consumer that an
unexpected exception was encountered and to not expect a specific message
related to the error.
@ BlackLine 2017. All rights reserved. Public API User Guide Page 19
Confidential
Figure 15. Inserting the API Key into the OAuth2 Authorization Header in Postman
@ BlackLine 2017. All rights reserved. Public API User Guide Page 20
Confidential
Route Summary
The following routes are required for communication with the BlackLine Tasks API.
POST operation
https://us2.api.blackline.com/tasks/import
GET Operation
https://us2.api.blackline.com/tasks/import/status
Queued
Running
Error
Finished
Terminated
Canceled
Unknown
Route Specifications
Service Message Request/Response Guidelines
7. Must include the following content type. Example: Content-Type: application/json
Regarding POST operations: One or multiple records may be POST(ed) in a JSON array to the Tasks
API ingestion endpoint. In order to optimize processing, we highly recommend that you POST
multiple records to the processing endpoint instead of a single record inside a JSON array. Exact
number of records will vary but total message payload size must NOT exceed 50 MB in size.
The service will return a Job Id in the HTTP message content body. The Job Id is used to check on
task ingestion status.
If an error is encountered, a Job Id will not be returned. Instead, an HTTP error status code will be
returned in the response message.
= 100
@ BlackLine 2017. All rights reserved. Public API User Guide Page 21
Confidential
400 Bad Request Bad request. Message was malformed or incorrect request message.
401 Not Authorized Authentication has failed or was not provided by the external API consumer. In this
event, the response will include a WWW-Authenticate header containing a
challenge related to the requested resource.
403 Forbidden User may not have necessary permission for a resource.
405 Method not allowed Request method is not supported for the resource.
415 Unsupported media The media type is not supported by the resource server.
type
429 Too many requests Too many requests made by caller to a single web service endpoint.
440 Login timeout The server is unable to validate authentication credentials within a specific
timeframe.
500 Internal server error General error message used to communicate to the API consumer that an
unexpected exception was encountered and to not expect a specific message
related to the error.
Message Payload
The Tasks API POST endpoint (https://us2.api.blackline.com/tasks/import) will accept an array of tasks
serialized as in JSON format. The image below is the JSON representation of an expected message payload
containing all required fields. Note that the sample below contains mock data for representational purposes
only. One or multiple JSON messages passed to the Tasks API in a JSON array. Maximum payload size <=
50MB.
@ BlackLine 2017. All rights reserved. Public API User Guide Page 22
Confidential
FAQ’s
Q. Is API rate limiting specified per user or globally for the app?
A. Rate limiting is a global function
Q. As a user, can I use the Tasks API for reading BlackLine data or just for writing it?
A. Implementation of the Tasks API allows you to load (create) tasks into BlackLine, so it’s just for
writing. Please note that this API is performing an Add function, and any records would be
overwritten if submitted multiple times.
Q. Which import template does version 1.0 of the Task API follow?
A. Currently, the Task API supports the “Tasks Extended” sheet of the latest BlackLine Import Template.
Please see version 7.14 of the BlackLine Import template.
@ BlackLine 2017. All rights reserved. Public API User Guide Page 23