Authentication API
Information about the steps necessary to access your Experimentation Events Export using the Optimizely Experimentation Authentication API.
The simplest and fastest way to access your Experimentation Events Export is by using the Optimizely Authentication API, where you can exchange an Optimizely Experimentation-issued token for temporary AWS credentials. These credentials can then be used to access the Experimentation Events S3 buckets associated with your account, where you can programmatically download your data and optionally upload them to your bucket using your S3 credentials.
Overview
Optimizely Experimentation Authentication API endpoint
https://api.optimizely.com/v2/export/credentials
Query Parameters
Parameter | Description |
|---|---|
duration | This is the expiration window for your credentials. The default and the maximum value is 1 hour. You may select anything between 15 minutes and 1 hour for this parameter, using ued t for hours or rary for minutes. Example: Refresh these credentials as often as needed using your original Personal Access Token. |
Reference
Complete Optimizely ExperimentationREST API reference.
Acquire temporary AWS credentials with the Authentication API
Generate a Personal Access Token.
Generate a Personal Access Token (PAT) within the Optimizely application by followingthe Support documentation instructions.
Make a request to the Optimizely Authentication API with your PAT
Copy your Personal Access Token (PAT) into theAuthorization header of a GET request sent to the Optimizely Experimentation Authentication API's/export/credentials endpoint.
Sample cURL request
curl -H "Authorization: Bearer {PAT}" -X GET https://api.optimizely.com/v2/export/credentials\?duration\=1hSample response
{ "credentials": { "accessKeyId": "access_key_id", "secretAccessKey": "access_secret_key", "sessionToken": "session_token", "expiration": 1591026407394 }, "s3Path": "s3://optimizely-events-data/v1/account_id=123"}The response contains anaccessKeyId, asecretAccessKey and asessionToken, which you will use in the next step to validate your credentials.
📘
NoteYou can skip this step if you already have credentials for the other data export services. You can reuse the same credentials to access your Experimentation Events Export data, though those credentials will be less secure than the ones issued using the above method.
Validate your credentials
Verify you can access Experimentation Events Export data using your credentials.
InstallAWS command line tools.
Export your
accessKeyId,secretAccessKeyandsessionTokenas environment variables:export AWS_ACCESS_KEY_ID={access_key_id}export AWS_SECRET_ACCESS_KEY={access_secret_key}export AWS_SESSION_TOKEN={session_token}Copy your Optimizely Account ID. For information on accessing your Account ID review the support documentation onaccount name, id, and multi-account-login in Optimizely Experimentation.
List the files in your S3 decisions directory, using your account id and a given date:
aws s3 ls s3://optimizely-events-data/v1/account_id=<account id>/type=decisions/date=<YYYY-MM-DD>/You should see a list of all experiments for which users received decisions that day.
📘
NoteThe final forward-slash is necessary because your credentials will only provide access to one folder inside the Optimizely Experimentation Amazon S3 bucket.
- Because your data export data is encrypted, inspect and access the data with one of the following clients:
- AWS CLI version 1.11.108 and later
- AWS SDKs released after May 2016
Extract your data
When setting up access to your Experimentation Events Export data programmatically, you need theaccessKeyID,secretAccessKey, andsessionToken values from the Authentication API collected fromMake a request to the Optimizely Authentication API with your PAT. These credentials let you download files from Optimizely Experimentation's S3 bucket. To copy these files to your own S3 bucket, you must first download them locally and then upload them to your bucket using your S3 credentials. See theAWS documentation on working with objects.
📘
NoteThe credentials expire every hour, so you need to configure a process for refreshing them. For information, refer to theAWS documentation on using temporary credentials with AWS resources.
Sample code
The following is sample code for aboto3 S3 client that uses the Optimizely Experimentation Authentication API and refreshes credentials once an hour:
#!/usr/bin/env python3from botocore.credentials import RefreshableCredentialsfrom botocore.session import get_sessionfrom datetime import datetimeimport requests as rimport boto3import pytzimport sysclass BearerAuth(r.auth.AuthBase): """ Bearer authentication class that integrates with requests' native authentication mechanism. """ def __init__(self, token): """ Args: token (str): Bearer token used to authenticate requests to an API """ self.token = token def __call__(self, request): """Sets the Authorization header on the current HTTP request. Args: request (request): The current HTTP request object. Returns: request: The current HTTP request with additional Authorization header """ request.headers['Authorization'] = f"Bearer {self.token}" return requestclass OptimizelyS3Client(object): """ AWS S3 client using credentials from Optimizely """ EXPORT_CREDENTIALS_URL = 'https://api.optimizely.com/v2/export/credentials' CREDENTIALS_IDENTIFIER = 'Optimizely' EVENT_EXPORT_BUCKET_REGION = 'us-east-1' def __init__(self, token: str): """ Args: token (str): Optimizely personal access token """ self.token = token def get_bucket_prefix(self, account_id: str) -> str: """Get the bucket prefix for a given Optimizely account ID Args: account_id (str): Optimizely account ID Returns: str: The S3 bucket prefix to access events data """ return f"v1/account_id={account_id}/" def get_creds(self) -> dict: """Get AWS credentials from the Optimizely public API Returns: dict: The AWS credentials for a given Optimizely account """ response = r.get( OptimizelyS3Client.EXPORT_CREDENTIALS_URL, auth=BearerAuth(self.token) ) node = response.json() return node['credentials'] def as_boto3_s3_client(self): """ Convert the Optimizely S3 client to a standard boto s3 client with refreshable credentials Returns: botocore.client.S3: Standard boto3 S3 client """ creds = self.get_creds() # The API response is in milliseconds expiry_time = int(creds['expiration'] / 1000) # boto expects the expiry time to be a UTC datetime expiry_time = datetime.fromtimestamp(expiry_time, pytz.utc) opz_refreshable_credentials = RefreshableCredentials( creds['accessKeyId'], creds['secretAccessKey'], creds['sessionToken'], expiry_time, self.get_creds, OptimizelyS3Client.CREDENTIALS_IDENTIFIER ) session = get_session() session._credentials = opz_refreshable_credentials session.set_config_variable('region', OptimizelyS3Client.EVENT_EXPORT_BUCKET_REGION) opz_session = boto3.Session(botocore_session=session) s3_client = opz_session.client('s3') return s3_clientdef main(): EVENT_EXPORT_BUCKET_NAME = 'optimizely-events-data' OPTIMIZELY_ACCOUNT_ID = '8506653257' OPTIMIZELY_PERSONAL_ACCESS_TOKEN = '2:4gLnqLABma8j2B4hyJ1ssvRJNvDR_YX1LfNjwS742PNKgOs0GNcU' optimizely_s3_client = OptimizelyS3Client(OPTIMIZELY_PERSONAL_ACCESS_TOKEN) s3_client = optimizely_s3_client.as_boto3_s3_client() all_objects = s3_client.list_objects( Bucket=EVENT_EXPORT_BUCKET_NAME, Prefix=optimizely_s3_client.get_bucket_prefix(OPTIMIZELY_ACCOUNT_ID) ) print(all_objects)if __name__ == '__main__': main()Updated 2 months ago