We have a CM account which we are using for many clients. What we are looking to do is have an additional simple website where clients will be able to log in with their CM client username and password, so we can offer some additional services.
The main service we want to offer is buying credits online, as here in the UK we need to add 20% VAT to sales and document this on the VAT invoice, which as far as I am aware the native credit purchasing facility in CM does not offer this?
Basically, a client would log in, we would then know what CM client ID, they can purchase some credits through a payment gateway, and then I can move the credits across form our master account over to their client account using their CM client ID.
Does anybody know if there is a client account authentication function in the API? Or a way I could tackle this. My initial idea would have been that they enter their username and password into our login form, I could then use my master API key to get a list of all our clients, I could then check the username and password entered against each record to see if I found a match, however the client list does not bring back their password. Another way would be to have all the usernames and password in our own MySQL database, then if they change their password in CM, I could use an API web hook to update their password in my database, however their does not appear to be a web hook that supports this function.
I tackled this on a version 1 or our website a few years ago by posting the username and password entered into our own login form to the main CM login using PHP cURL, if the returned page was the account dashboard then I would know their username and password was correct, if not then I would know it was incorrect, however there must a more elegant way to solve the problem?
Hi! You are correct that we do not charge VAT, as an Australian company it's just not possible for us to do so.
There are a couple of things you can look at in our API. First take a look at oAuth which would work nicely for you here. The only downside, and this may be a deal breaker, is that oAuth is not whitelabel, so your clients would likely get exposed to the Campaign Monitor brand.
Your other option would be to use our service where you provide the account URL, username and password and we'll give you back the client API key. This depends on what wrapper you are using, but you can see it documented here, specifically on line 59.
I hope that helps!