Code Samples

Sometimes it’s best to just see it done. For that, we have some code samples for you to peruse. Though we are working diligently on full libraries for interfacing with our API, they aren’t quite ready yet. Until then, these examples should get you started (and never be afraid to ask if not), the interface is simple enough that whatever language you are using should run closely to what’s happening here in python and cURL.

Bash + cURL (HTTP authentication)

This is a simple example of making a request from the command line. You probably won’t be using cURL, but if you run into issues we’ve found it’s best to try to recreate them with cURL with the -vv flag. You get a lot of of insight into what your request and response look like this way. Another good thing about cURL is that it’s easy to see what it’s doing even if you’re not familiar with the tool.

export BASE=''

# get products
curl -H"X-Client-Key: $CLIENT_KEY" -u"$USER:$PASSWORD" "${BASE}products/mine?pretty=true"

#get total sales by product
curl -H"X-Client-Key: $CLIENT_KEY" -u"$USER:$PASSWORD" "${BASE}sales/products?pretty=true"

Bash + cURL (OAuth)

Here, we’ll manually go through getting an OAuth Access Token. It’s a mess, so hopefully you wouldn’t have to do this yourself but it illustrates the protocol effectively. Note the oauth_callback set to oob and the X-OAuth-Scope is set to products:read.

oob means out of band. Which is to say you don’t want the user to be redirected during the authorization process, but instead you want them to be given a code to paste into the program. products:read means the only thing the resulting Access Token will be able to do is access product data. You can look here for more about this. If you want to skip scopes entirely you can, the issued access tokens will simply inherit the scope that you specified when creating the client key.

#change these


# get and parse Request Token
OUTPUT="$(curl -v -XPOST $BASE'oauth/request_token' \
      -H'Authorization: OAuth oauth_signature_method=PLAINTEXT,
                                oauth_signature='$CLIENT_SECRET'&' \
      -H'X-OAuth-Scope: products:read' \
      -H'Content-Length: 0')"

REQUEST_TOKEN=`echo $OUTPUT |  sed 's/.*oauth_token=\([^&]*\).*/\1/'`
REQUEST_SECRET=`echo $OUTPUT |  sed 's/.*oauth_token_secret=\([^&]*\).*/\1/'`

# Forward to be authorized and get verifier
echo "Go to ${BASE}oauth/authorize?oauth_token=$REQUEST_TOKEN to get your code."
read -p'verifier:' VERIFIER

#Exchange Request Token for Access Token
OUTPUT="$(curl -v -XGET $BASE'oauth/access_token' \
      -H'Authorization: OAuth oauth_signature_method=PLAINTEXT,

ACCESS_TOKEN=`echo $OUTPUT |  sed 's/.*oauth_token=\([^&]*\).*/\1/'`
ACCESS_SECRET=`echo $OUTPUT |  sed 's/.*oauth_token_secret=\([^&]*\).*/\1/'`

# Make a request to get products
curl -XGET -v $BASE'products/mine' \
        -H'Authorization: OAuth oauth_signature_method=PLAINTEXT,

Python (HTTP Authentication)

The below example uses the requests package, available from pip or easy_install. make_request is where the magic happens, the rest is just exercising the API by getting and manipulating resources.

""" Script that demonstrates how to access the Appfigures API
    from python. It relies on requests, because urllib is no fun
    Released into the Public Domain (for what it's worth)

import requests

# Fill these constants in

# Helper function for auth and app_key
# first / in uri is optional
def make_request(uri, **querystring_params):
  headers = {"X-Client-Key": APP_KEY}
  return requests.get(BASE_URI + uri.lstrip("/"),

# Get the root resource to show we are in business
root_response = make_request("/")
assert 200 == root_response.status_code
assert USERNAME == root_response.json()["user"]["email"]

# Get a list of products
product_response = make_request("/products/mine")
assert 200 == product_response.status_code
assert 0 < len(product_response.json())
for (id, product) in product_response.json().items():
  print(product["name"], product["id"])

# Get data for all inapps for a year by month
products = product_response.json().values()
inapps = [p for p in products if p["type"] == u"app"]
inapp_ids = [str(product["id"]) for product in inapps]
inapp_names = [inapp["name"] for inapp in inapps]
route = "/sales/dates+products/2012-01-01/2012-12-31"
inapp_sales_response = make_request(route,
assert 200 == inapp_sales_response.status_code

# Make a little table of revenue
data = inapp_sales_response.json()
months = sorted(data.keys())
print(",".join(["date\\product_name"] + inapp_names))
for month in months:
  values = data[month]
  downloads = []
  for inapp_id in inapp_ids:
    if inapp_id in values:
  print(",".join([month] + map(str, downloads)))

Python (OAuth)

There’s a decent python package for OAuth called rauth. This example shows how to use it to get an Access Token and start making requests.

Warning: when you do get a rauth session, make sure that querystring parameters are given in the params= keyword arg– if they are given as part of the url rauth won’t sign the request correctly.

""" Demonstrates using the rauth library to interact with
    the Appfigures API

from rauth import OAuth1Session, OAuth1Service

base_url = ""
client_key = "client_key"
client_secret = "client_secret"

request_token_url = base_url + "/oauth/request_token"
authorize_url = base_url + "/oauth/authorize"
access_token_url = base_url + "/oauth/access_token"

def get_service():
  """ Returns an OAuthService configured for us """
  return OAuth1Service(name="appfigures",

def get_session(access_token=None, access_token_secret=None):
  """If access_token and secret are given, create and return a session.

      If they are not given, go through the authorization process
      interactively and return the new session

  oauth = get_service()

  if access_token:
    session = OAuth1Session(client_key, client_secret,
                            access_token, access_token_secret,
    return session

  params = {"oauth_callback": "oob"}
  headers = {'X-OAuth-Scope': 'public:read,products:read'}
  request_token, request_token_secret = oauth.get_request_token(

  authorization_url = oauth.get_authorize_url(request_token)
  print("Go here: %s to get your verification token."
          % authorization_url)
  verifier = raw_input("Paste verifier here: ")
  session =  oauth.get_auth_session(request_token,
  return session

if __name__ == "__main__":
  s = get_session()
  print("Access Token: %s\tAccess Secret:%s"
          % (s.access_token, s.access_token_secret))
  resp = s.get(base_url + "/products/mine")
  print([ product['name'] for (id, product) in resp.json().items()])

  # it is VERY important that querystring parameters go in params
  # rather than directly put in the URL. rauth will not sign the request
  # correctly if you did s.get(base_url+"products/mine?store=apple")
  resp = s.get(base_url + "/products/mine", params=dict(store="apple"))
  print([ product['name'] for (id, product) in resp.json().items()])

  resp = s.get(base_url + "/sales/products")
  print("Status code(%s) should be 403 because of scope" %

C# (HTTP Authentication)

Here’s snippet of C# code that talks to the API.

using System;
using System.IO;
using System.Net;
using Newtonsoft.Json;
using Newtonsoft.Json.Linq;

namespace ApiClient
    class Program
        static void Main(string[] args)
            Console.WriteLine(" --- Products --- ");
            AppfiguresApi client = new AppfiguresApi("USERNAME", "PASSWORD", "CLIENT_KEY");

            var products = client.MakeRequest("products/mine");
            foreach(var product in products){

            Console.WriteLine("\n--- Sales Over Past 7 Days ---");
            var sevenDaySales = client.MakeRequest("sales/dates/?start=-7&end=0");
            foreach (var date in sevenDaySales) {
                var sales = date.Value;
                Console.WriteLine(String.Format("{0}: {1,-4}(${2:C})", date.Key, sales["downloads"], sales["revenue"]));

    class AppfiguresApi
        private static readonly Uri BaseUrl = new Uri("");
        public readonly String Username;
        public readonly String Password;
        public readonly String ClientKey;

        public AppfiguresApi(String username, String password, String clientKey)
            this.Username = username;
            this.Password = password;
            this.ClientKey = clientKey;

        public JObject MakeRequest(String path)
            Uri fullUri = new Uri(BaseUrl, path);
            WebRequest request = WebRequest.Create(fullUri);
            request.PreAuthenticate = true;
            request.Credentials = new NetworkCredential(this.Username, this.Password);
            request.Headers.Add("X-Client-Key: " + ClientKey);
            WebResponse response = request.GetResponse();
            using (StreamReader responseReader = new StreamReader(response.GetResponseStream())) {
                return JObject.ReadFrom(new JsonTextReader(responseReader)) as JObject;
  • Benny Elgazar

    Hey, How do I get the access_token without automaticly without enter manualy to the site each time and the past it to my python code??

  • ElieH

    PHP example :

    $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, "");
        curl_setopt($ch, CURLOPT_TIMEOUT, 200);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
        //might help if running on localhost
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
         curl_setopt($ch, CURLOPT_HTTPHEADER, array(

        curl_setopt($ch, CURLOPT_USERPWD, "USERNAME:PASSWORD");
        $response = curl_exec($ch);

       echo $response;

  • Ronen Magid


  • Heezze

    No PHP example? :/ I do PHP and do not understand how to do oAuth. Will you do a oAuth example soon?

  • Guest

    Great example .. Thank You!

  • J. Justin Hancock

    How about a Java example?

    • Patrice

      Java examples would also be a big help for us.

  • geva

    what about PHP examples?

    • appfigures

      We don’t have any at the moment but code samples in other languages will be available in the future.

      • Gunt

        2 years and no PHP exampe?:)

        • Cody Crumrine

          Here you go:

          “` ini_set(‘display_errors’,1); error_reporting(E_ALL); session_start(); function getFullHost($s){ $ssl = (!empty($s[‘HTTPS’]) && $s[‘HTTPS’] == ‘on’) ? true:false; $sp = strtolower($s[‘SERVER_PROTOCOL’]); $protocol = substr($sp, 0, strpos($sp, ‘/’)) . (($ssl) ? ‘s’ : ”); $port = $s[‘SERVER_PORT’]; $port = ((!$ssl && $port==’80’) || ($ssl && $port==’443′)) ? ” : ‘:’.$port; $host = isset($s[‘HTTP_X_FORWARDED_HOST’]) ? $s[‘HTTP_X_FORWARDED_HOST’] : isset($s[‘HTTP_HOST’]) ? $s[‘HTTP_HOST’] : $s[‘SERVER_NAME’]; return $protocol . ‘://’ . $host . $port . $s[‘REQUEST_URI’]; }

          define(“BASE_URL”, ‘’); define(“CLIENT_KEY”,’YOUR CLIENT KEY’); define(“CLIENT_SECRET”,’YOUR CLIENT SECRET’);

          if(isset($_REQUEST[‘oauth_token’]) && isset($_REQUEST[‘oauth_verifier’])){ //we’ve got a token back $oauth_sig = “OAuth oauth_signature_method=PLAINTEXT” . ‘, oauth_verifier=’ . $_REQUEST[‘oauth_verifier’] . ‘, oauth_token=’ . $_REQUEST[‘oauth_token’] . “, oauth_consumer_key=” . CLIENT_KEY . “, oauth_signature=” . CLIENT_SECRET . ‘&’ . $_SESSION[‘request_secret’]; $ch = curl_init(BASE_URL . ‘oauth/access_token’); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, array( ‘Authorization: ‘ . $oauth_sig )); $response = curl_exec($ch); parse_str($response, $result); var_dump($result); die(); }else{ //we need to redirect the user to the auth dialog $oauth_sig = “OAuth oauth_signature_method=PLAINTEXT” . “, oauth_consumer_key=” . CLIENT_KEY . “, oauth_callback=” . getFullHost($_SERVER) . “, oauth_signature=” . CLIENT_SECRET . ‘&’; $ch = curl_init(BASE_URL . ‘oauth/request_token’); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, array( ‘Authorization: ‘ . $oauth_sig )); $response = curl_exec($ch); parse_str($response, $result); if(!isset($result[‘oauth_token’])){ var_dump($response); throw new Exception(‘Error, did not receive an oauth request token.’, 1); } $request_token = $result[‘oauth_token’]; $_SESSION[‘request_secret’] = $result[‘oauth_token_secret’];

          header('Location: ' . BASE_URL . '/oauth/authorize/?oauth_token=' . $request_token);

          } “`