Create a REST API using basic PHP with Token Authentication - Real world example of a to-do list API | Michael S. | Skillshare

Create a REST API using basic PHP with Token Authentication - Real world example of a to-do list API

Michael S., Mobile Systems Developer

Create a REST API using basic PHP with Token Authentication - Real world example of a to-do list API

Michael S., Mobile Systems Developer

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
43 Lessons (14h 40m)
    • 1. Introduction

      1:35
    • 2. Course Contents and Project Scenario

      2:47
    • 3. What is REST?

      8:19
    • 4. Software Set up

      6:09
    • 5. Task API Requirements

      3:34
    • 6. Authentication API Requirements

      2:23
    • 7. Demo of Completed API - What we will be building within this course

      24:13
    • 8. Tasks Database and Task Table Creation

      12:33
    • 9. Set Up API Folder Structure

      4:35
    • 10. Create the Response Model

      38:58
    • 11. Set Up The Database Connection

      22:52
    • 12. Create The Task Model

      32:55
    • 13. GET - Get a Single Task

      44:41
    • 14. DELETE - Delete a Single Task

      9:27
    • 15. GET - Get All Complete and Incomplete Tasks

      22:22
    • 16. GET - Get All Tasks

      17:47
    • 17. GET - Get All Tasks With Pagination

      37:02
    • 18. POST - Create a Task

      49:19
    • 19. PATCH - Update a Task

      55:22
    • 20. Mid Course Review - What we have done so far

      1:18
    • 21. Introduction to Token Based Authentication

      11:22
    • 22. Users Table Creation

      5:34
    • 23. POST - Create a User (Sign up user API)

      43:00
    • 24. Sessions Table Creation

      7:41
    • 25. POST - Create a Session (Log user in API)

      82:23
    • 26. DELETE - Delete a Session (Log user out API)

      25:25
    • 27. PATCH - Refresh a Session (Get new access token API)

      51:20
    • 28. Update Tasks Table - Add User Assignment

      4:07
    • 29. Add Authentication to our Tasks API

      47:16
    • 30. Course Conclusion and Demo Client Application

      10:49
    • 31. BONUS Section 01 - What is CORS And How Do We Allow This On Our REST API

      16:41
    • 32. BONUS Section 02 - Adding Image Upload Functionality To Our API Intro

      10:22
    • 33. BONUS Section 02 - Demo of Image Upload API

      15:52
    • 34. BONUS Section 02 - Implement Folder Structure To Store The File Uploads

      5:16
    • 35. BONUS Section 02 - Task Image Database Table Creation

      5:22
    • 36. BONUS Section 02 - Implement The Image Model

      34:30
    • 37. BONUS Section 02 - Implement The Image Route Logic

      38:27
    • 38. BONUS Section 02 - POST - Implement The Upload Image Route

      66:03
    • 39. BONUS Section 02 - GET - Implement The Get Image Attributes Route

      12:20
    • 40. BONUS Section 02 - GET - Implement The Getting Of The Actual Image File

      16:45
    • 41. BONUS Section 02 - PATCH - Implement The Update Image Attributes Route

      43:17
    • 42. BONUS Section 02 - DELETE - Implement The Image Deletion Route

      19:43
    • 43. BONUS Section 02 - Integrate Images Into Task API

      37:44
  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.

96

Students

--

Projects

About This Class

ff693b55

In this course I will be showing you how to create RESTful web services with PHP, no third party frameworks or paid software is needed.

We will be covering the basics of what REST is and how to implement the basics using pure vanilla PHP, at the end of this course you should be able to create a basic RESTful web service that you can allow other people to use.

The course will follow a scenario that we have been given and that is to implement a web service which can record a list of tasks, basically a to-do list. We will be implementing each requirement one at a time and then we will add on the ability for this API to become a multi user service. So each user can securely have their own task list.

To do this we will be implementing an authentication concept called Token based authentication and we will be exploring this further within the course, Token based authentication is a lot more secure than just basic password authentication and is now a best practice among the industry.

We will be starting at the beginning and building as we go, as long as you know the basics of PHP, such as variables, if statements, loops, arrays and some basic object orientated programming concepts you should be able to follow this course to the end.

We will also be using MySQL for the database to store the tasks and we will be building and changing the database as we go, and again you don't need to be an expert on MySQL but just need to know the fundamentals such as basic select, update, delete SQL statements and concepts such as primary keys and foreign keys.

The RESTful api can then be used by web and mobile apps (both iOS and Android).

BONUS SECTION 01 ADDED - for CORS (Cross-Origin Resource Sharing) which will allow you to adjust this API to run on a different domain/subdomain than your front end application.

BONUS SECTION 02 ADDED - for teaching you how to upload images/files against a task, we will go through the changes we need to make to the API to allow uploading of images to a task. We will then allow you to associate image attributes such as title and filename against the image as well as being able to download the image and delete the image.

Meet Your Teacher

Teacher Profile Image

Michael S.

Mobile Systems Developer

Teacher

Hi

I have been programming for over 13 years using PHP, SWIFT, HTML, CSS and Javascript and have all round experience of Web Systems and system architecture.

Programming is not just part of my job but it is a hobby too, and I am interested in the full stack, from the infrastructure, to the security, to the user experience.

See full profile

Class Ratings

Expectations Met?
  • Exceeded!
    0%
  • Yes
    0%
  • Somewhat
    0%
  • Not really
    0%
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Your creative journey starts here.

  • Unlimited access to every class
  • Supportive online creative community
  • Learn offline with Skillshare’s app

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.

phone

Transcripts

1. Introduction: Hello and welcome to my course. I am Michael Spinks, and in this course I will be sure knew how to create rest full Web services. With PHP no third party free works appeared software is needed. We'll be covering the basics of what rest is and how table Amend the beer six years in pure vanilla PHP. At the end of this course, you should be able to create a basic rest ful Web service that you can allow other people to use. The course will follow a scenario that we have been given. It is to implement a Web service which can record a list of tasks. Basically, a to do list will be implemented, each requirement one at a time. Then we will add on the ability for this E p I to become a multi user service. So each user can security have their own tests first. To do this, we'll be implementing an authentication concept called Talk and Beer Store Syndication, and we will be exploring this further within the course. Talking baseball syndication is a lot more secure than just basic password authentication and is now the best practice among the industry. We'll be starting at the beginning and building is weak or as long as you know the basics of PHP, such as variables. If statements loops in arrears, you should be able to follow this call through to the end. We'll also be using my SQL for the date appears to stall the tasks they were building and changing the database as we go. And again, you don't need to be an expert in my SQL, but you just need to know the fundamentals such as basic select, updated delete statement and concepts such as primary keys and foreign keys. Okay, let's get started. 2. Course Contents and Project Scenario: Okay, This is what we're going to cover throughout this calls. I will try and keep the Syria through minimum to get under the practical tasks quicker because no one really likes the born theory part. However, the theory I've added is necessary just working grasp of fundamentals. We'll be starting by giving you a brief overview of our given scenario so you can start thinking about the requirements and actually to give you an idea of what we're actually going to produce, where they're going to run through the basics of rest and how it is implemented. Then before we can start, I'll show you what software we're going to use. This is all free and downloadable off the Internet. We will then download and install the software together. Although this is basic, it is good to do this together because they were all starting from the same point. Well, then, throw specific requirements for the FBI. This is the actual de deal on what the FBI needs to do well, then get on and actually start the Rembrandt Asian by first creating the deer dubious and setting up the tables be used appeared to be my admin for that and will be guiding you through, basically, step by step. The next is where the largest amount of workers don't. This is the actual implementation of the PHP court. This includes testing at every stage to make sure it first all works, and second, it'll fulfills the requirements from of scenario. Then we'll move on to the talkin baseball's indication. This can be a little dry, although it's really good to understand how it works. I'll explain the basics of this and talk you through how and why. This is now an industry best practice. We will build the authentication module, which will then be used to security, authenticate users Well, then go back to our A p i court and not in the authentication requirement and re factor the court where needed. Although this should be kept to the minimum. This is where we'll fulfill the requirements to only allow users to view, update and delete that one tasks, and then finally, we'll run through. The FBI from Started finished demonstrating the A P I and two went, including authentication. Then there's a bit of a bonus material. I'll show you a quick sort of client application and I've developed, although really sort of thrown together to show you how this a P I can be used with an iPhone up, for example. So this is a story, a way of being given. We need a build a task list system that will allow users to log in and create updated and delete tasks. Each user's task will be private of them, and other users will not be able to view or modify them. Were responsible for the database back end the Web services on the authentication module. However, we're not responsible for the front end. All the service set up this is beyond the scope of this course. 3. What is REST?: So what is arrest? Really? A P I rest stands for representational steer transfer rest api Eisen interferes. That is stainless. So if each requests the receiving system doesn't know anything about any previous requests . He uses a client server model by your request to response architecture utilises the standard http verbs and status courts such as get posed patch and delete. This allows you to create read update until the theater this is also known as crude is important or that rest is not a standard. It is a set of principles that, if any p I was to follow would make a rest ful. Rest is generally preferred over sort. Dude would simply implementation, and Morsi uses Jason for the response output. Jason is simpler and less for Boston XML, which is what syllabuses. We'll be using Jason exclusively in this course. Examples of what an e. P. I can be used for our Lord and update their to use neckline application. This may be mobile or desktop application. So, for example, if you use Facebook on a smartphone when you request your friend list that calls a Facebook G p I to retrieve the friend list or It could be the fact that your blood in image from your smartphone to share with your friends on the social networks such as Facebook the FBI usage is hidden from the user is a client application carries out the necessary actions using the API eyes on the uses behalf. Example. Usage of arrest. Feli api I to get user details of a user with an idea of one is get slash users slash one the slash one is the user i. D. So how was it implemented? The rest Filippi eyes implemented using the CPI verbs that is sent with a request post is used to create. Get is used to retrieve patches. Usedto idiot Put is used to replace and delete has used for delete the most common verbs that a used deer, the deer get and paused when using a Web roses such as Google crawl and you click a link toe open appeared. This is a get request, as you were getting or retrieving the data that is on the peered from the server. If you ever filled out a form on a website and press the submit button, then you reviews paused as you have posted the form theater to the server. The post request will usually have a request body, as you were supplying some deer did to the server for the service of process. The survey takes requests and process it and then replies with a response. This includes any output as well as the HDP Response Court. So for the request, get uses slash one to get the user with i d. One That would reply, for example, with a status court of 200 which basically means walk here. That was received and it worked, and then it respond back with the body in the request. So, for example, we have an I d hear of Want the name of the user in an age of the user. The http status cords, the common ones listed here. But there's many more. There's a good website and put it on screen. Now for http. Steelers courts have a look at this website and you'll be able to see a lot more detail about what each theater's called means. So 200 is used for or care. If you were creating a user by using the post create, then that should respond back if it was successful with 21 response. Accord 400 is basically used for if something is not formatted correctly on the request, so see it had mandatory fields for creating a user such as name, and you sort of forgot to put that in or missed it out on purpose. What should reply back with is a 41 record, which is about request because you've missed out of military data. The 41 court is for unauthorized. So, basically, if you if you go to an end point and you haven't logged in or you don't have access furniture before warn unauthorized. Basically telling you that you need to authenticate 43 sort of goes hand in hand with for a one. If you have authenticated Butch, you don't have access. So, for example, if you are a general user and only administrative users can perform in action such as reset someone's password or something like that. So if you're a general user and you try to be set someone's past bridge, it should be a 43 forbidden because you are not allowed to do that on your administrator is four or four. You're probably seeing generally browse and using a Web browser anywhere. It's where you click on the link and the links dead, so the end point is not available. So if we go to sees, get slash users slash five. In a user with the idea of five doesn't exist, you should get a full for her four or five. Is method not allowed? Saw apart from these methods? Down this left hand side here, there's this many more, but these are the general ones are used in a rest API I. If we try and delete all users using the route, delete slash users that shouldn't be allowed because generally utility uses one of the time . Whereas if you paused, which is create slash users that should lower you to create one user. If you were deleting the user, you would delete did the beginning the verb slash users slash i D. So you delete that one user now. Obviously, if you try and delete all users using delete slash users, you should get a four or five method not allowed. The conflict of four or nine error is if you try and create a duplicate. So say you create user that has a duplicate years and am, for example, that should return a four relying conflict Error 500 error is usually the processing on the server has field, and usually what will happen is you'll get a 500 arrow with the generic response or depending how you call this. It might actually respond with an appropriate error message. So to call the FBI's will use you are Ln points thes air known as roots or out, depending where you come from. In the beginning you have the verb, so that's the get or the post or the delete, and then you have the Web address, and then the road itself is slash, and on this occasion it's slash product, so slash products route would return a list of all products. If we specify a product idea at the end of the roots or slash products slash i d. If we just go over here, the right hand side slash products slash one that would return the product details of one product with an idea of war north that of root can carry out different actions depending on what http verb is used. So, for example, if we use the same route as we did before. So the slash products route and was want to get to opposed, so that should mean create a product. So there's the U R L in point, and they're obviously the route is slash product. You would pose that, but you would have to include Jason Body. This law makes sense once with sort of demo and go through building the FBI so they should create the product and then also return. It is part of the response for its it's advisable to use knowns. So, for example, slash users or slash products or slash jobs, it's best practice. Also have in point is pure ALS. Since it doesn't matter if you're retrieving, warn user or many users, the endpoint would be consistent. For example, slash users. If you re just returned one, you wouldn't have slash user slash one. You would have slash users slash one. So also a good rule is never used. Routes like get user, create user or delete user. These don't follow the rest principles as your mix and verbs with knowns. For example, get use a keep the verbs for use in the http request, such as get paused delete patch and the now and is part of the route, so slash users. So in theory, if you wanted to get users, you just get slash uses. 4. Software Set up: Okay, that's enough theory for the time being, will now get on to install and setting up the software. The software we use and throw this course is mumps, which is the Development Web application server. This is PHP Apache and my sequel, All Building. As part of that, you'll get a Web application called PHP. My admin. This is used for administrating the my sequel. The obvious Moving On will install Adam. This is a chord editor. It's free, open source, and it's very good. Next following that will install a program called Postman. This allows you to test out the AP ice. Okay, we'll start by installing bump. So if you fire up Google crop, it's typing month. Good is anything usually the first hit Mom taught in four Click and then you'll have mumps on my improve. We're just going to install a month because it's freak, although I do recommend proof you have different websites that you got a horse and develop click free downloads and what we want is month and mom pro or 5.2. I'm obviously on a Mac, but if you're on wooden doors, you can follow along on this one instead starts downloading. Okay, that's no downloaded. So the bottom click on it once I should ask you to install it. Just follow the with the three. Continue. Continue. Continue. Obviously read and accept the user license. I'm just gonna click install. I've got a touch. I d on my Macs. I'll just use me. Fingerprint installs use. It just takes a few seconds. Not too long. Okay, That's installed. Click clause moved to trash cause we'll be using the installer again. Okay, the next thing we're going to install is Adam. So just in your address bar, just go to Google. And I'm just going to type Adam editor in the Google. Do you do the first? It It's Adam. Don't, Are you? If you want to go straight to it, click. Adam. I thought about detected. I'm on a Mac. So this Quick down Lord, this year's it takes just a few seconds to download. It's not very big at all. Click on the download of the bottom left. Whom does it full up. There you go. All we're gonna do is drug that to my applications on the left hand side. Let's it installed. We're going to know to leave the install a zip file close. Okay, the last thing we're going to get is the program called Postman. So of course, Google again. Just type in post mine here p I and it's usually the top hit. Click the Link. I don't know the up cheesy platform like to say where on a map, So I'll click the Mac want. But if you're on Windows, flick the Windows one. Okay, that should have started to down Lord Out, kid. That's no. Don't click on the download A file on the left hand side. It unzips it. And all the do is just drag and drop that in applications exactly the same as we did for Adam. Okay, that's applications installed. So first of all, we'll fire up Adam just to make sure works assassinates because it's don't order from the Internet. Wish you wanna continue press a woman. Okay? He is our court after that. So the next thing will check is to make sure Postman's installed it is post month. Exactly the same to double check that you want to open it because it's downloaded from the Internet. Click open. Okay, There's Postman, and we're going to the detail of this leader, que the next thing. This is the big Warren and it's called Bump. And what we want to find is it's a factory of folder within the applications for Let Cold Month double click on that and a bit of a sort of brief guide here. We're going to be put in the files into HT docks. That's where we're developed. Court files will be put. That is sort of the route, or of the Web site that would develop it. Okay, so the first thing I want to do is open month and then click start service. This is not your Apache Web server on my SQL server. You get this page. So basically that means mumps all installed, all working now, going back to what was said before there was another bit of software, it was actually Web app called PHP my admin. And this slows you too sort of developed or implemented it obvious access that you go to tools on this pitch. Then you got PHP my admin click that takes its page p my outman from the fund size up a little bit just so you can see you see here less. The databases on the left tops across the top will get into this further afterwards. Started developing the database. Okay, that's the software. All installed will move on to the next video. 5. Task API Requirements: now one of the requirements. The deal of actually what we're going to be building. So the requirements for the FBI itself are in most returning Jason Response for all routes . This is so there's a consistent former returned. So client applications, in order, expect it should have been a concussion where appropriate caution allows the FBI to return results from cash if it is called within a certain amount of time. This lightens the Lord on the service, and it can deliver a response from its own cash, meaning it doesn't have to send the request back to the server. You need to use this with caution door as if you update the task. You will always want to get the latest version from the server and not the cash version. Next, the task itself needs an i. D. The title, a description the deadline did in a completion status. So after make sure we implement these fields within the deer dubious and also return them on the FBI is part of the response. Now there are a few different routes that are needing to be implemented. Remember, a route is Justin endpoint that you call e g forward slash tasks or forward slash tasks. Forward slash one to get task one. So the 1st 1 to return is a list of all tasks within the system. Remember, eventually this will be per user. The ruble for this will be slashed. Tusks next depend on how many tasks you store. It's a good idea to allow pigeon of results. For example, if this was being used as a shop e a p I. That returns all the list of products instead of tasks the stock enough thousands of products, it wouldn't be good practice or a good user experience to return thousands of products of once. This can be slow and take up a lot of server resources. Feature request. So what we do is below a certain amount to be returned. Perpich, for example, 20 per page. We then create a route to call the next page, which will then return the next set of results. The root for this will be slashed tasks slash page slash wall or slash tasks. Slash paid slash to for pH, too. We will then need to return the details of just one task isn't task. I d. The root for this will be slashed. Tasks slash one To get task I d want the A P. I must also be able to return either just incomplete or complete tasks only. And as previously mentioned, this will repair user as well. The root for this will either be slashed tasks slash complete or slash tasks slashing complete. So that is all of the return task route. Now we need to be able to delete a task for a given i d. And for this the route will be slashed. Tasks slash worn, for example. For task I d. One or slash tasks slashed to next, we need to allow away for a test to be updated. We won't be updated in the task i d. Is. This is a system generated identify, so we'll just allow for the title description. Deadline did and completion status to be updated, although you might know one rubbed it all of the details at once, so it should allow just, for example, a title to be updated and leave all the other details. The With ER. Once the task has been updated, it should return the updated task in the response. The root for this will be slash tasks slash warn where one is a task i d Finally, we need to allow a new test we created. Once the task is being created, it should return the newly created task in the response, the root for this will be slashed tasks. Okay, that's the end of these FBI requirements. Next will move on to the authentication requirements. 6. Authentication API Requirements: the next center requirements off for the authentication. E p i. The authentication, your P I will allow users to log in and log out. This will be needed to allow our task list the FBI to function on a per user basis, just like our task list FBI. All the responses should be in Jason Former The details recorded for use There are an internal i. D. Full name unique using him the hashed password. So not playing text because if the database is compromised and anyone could see the user's password, and we all know that uses mostly have to see him password for multiple systems. Along with that, there should be an active status, which can be used to make the user non current. So if a user leaves or he just wanted disable their account for some reason, there's also a field recall the amount of incorrect log in attempts. This will help implement a lockout system. For example, if it user attempts to log in incorrectly three times, the account can be locked out. The Tesla's system should allow a user to be logged in on multiple devices at once. E g. This smartphone tablet or the desktop local into a new device should not love them out of the other devices. We will need to use a concept known recessions for this, and we'll go into the details of this leader. This should be a retrial. Our new user to be created so user can use a client application to sign up. For example, the root for this will be slash users. We need to allow a user to create a new session by authentic in. This is known as logging in the roof, For this will be slashed sessions. We should always allow using lock out of their system. Know that they are. The sessions will be unaffected, and the root for this will be slash sessions slash session I. D. So, for example, slash lesson slash five and has mentioned early on in the course will be used in access talking, which happened living her life spot. So you must create a route that would allow the users to refresh the access Talking wonders expired, although this will be hidden from the user and the client application will deal with this. Behind the scenes, the root for this will be slashed sessions slash session I d, for example, slash sessions slash five. Okay, so now we have a list of requirements for the task for STP I, as well as the authentication FBI we can now move on to implement in a my SQL database, which will be used to store the tasks the users in the sessions. 7. Demo of Completed API - What we will be building within this course: Now that we have ran throw requirements, it is a good time to show you what we will be producing. So you can understand how our solution will work. This is a whistle stop tour of the FBI. But don't worry. We'll be going into much more detail. As we implement each requirement, we're going to start at the beginning where we will sign up. A new user log in Is that user create a couple of tasks, retrieve them tasks in a list? Oh, dear. The task and then delete the tasks we've created. Well, then finally log out the user. This will demonstrate the use of each TDP verbs as well as the response status Causeway of previously run through to Demo. This were used postman to call the FBI. It's the 1st 4 will open four smile. So I got postman here. This is what we used to test the a p I. So you can see you get the verb on the left hand side of see the ones that we spoke about. What's get posed. Patch delete. The first example I'm gonna show you is what happens when we try enlist the tasks. But we're not logged in as a user. So first of all, um, we type in the local web address for our development server, which is month, if you remember correctly. And that is local host party. Did it slash? Now the route that we're going to use if you remember going back to our FBI requirements Waas to get a list of all tasks, it was slashed tasks. So you see here slash tusks and I'm just going to send that request so you can see here that this is the body that we get returned in the response. So you see there will have a status court of four or one Now, this is not in the http header. This is what we've put in the wrapper for the response. The real status quarters over here, just to the right slate and see steered us for a one. Authorization required basically means we're not locked in as a user. We've got a message is a real here, which is basically a list of all messages. So you see here the access talking is missing from the header and access talking cannot be blank. And you can see here that our data is no, basically is not because they're not locked in. So the first thing we need to do is create a user because this is a fresh system. There's nothing exists. Saw to demo that we want to create a new tab at the top. Just leave here cause will be returning to this shortly to create new top. No, if you remember going back to our requirements to create a new user, what we use for create is paused. So we'll select post taping over development server again. Local Horst poor dated it, and then it's slash uses. Remember, it's plural. And what we're doing is creating a user to post slash users. No, what we need for this if we go to we need a body because we're sending theater to the server. So the click body and what it accepts is GSR. Remember in this course were dealing exclusively with Jason. So if you click raw with a plain text here, select Jason and what would do we have to create the Jason body and we've got 33 mandatory fields for this one. So the 1st 1 is full name, so we just created obviously the body. So we're going to send this to the server to create our user. So full near. I'm just going to see Michael s the next monetary field is that using him? So using them on, we'll just call that Michael and the next warnings password. So obviously, this is where the user can create the wrong password, so it's not very secure, but we'll just see if password one So that's the body set up. So in theory, this should create the user. So what I'm gonna do, make sure that's on post is send this. You can see here if I just increase this. We gotta stay this court of two or one which, if you remember, rightly was created. And you can see this over here, just to the right. You got the HDP had a here to one created Success is true because it carried out the task that we wanted to do successfully. We'll get a message user created. And then what happens is it's good practice to then return the user. So it's user I d warn full name of what we put in Michael s using here. Michael would never, ever return the password in plain text ever. You wouldn't even return the hashed password, To be honest, wanted stored in the database that should never then be exposed anyway. So now that we've got a user we need a log in Is that user? So what we're gonna do is create a new tab it across the top here, Andi, remember, from our requirements, it hard creates a session. So that was slash sessions. So when you log in as a user, you are creating a session. So what we're gonna do with doing to create So it's opposed again. And then we'll type in our local Horst Weps address slash sessions. So obviously, this is a create, so there's a body for this as well. So if I click on body, click raw again and then change text to Jason, create the GS on body and what you need here is toe log in as a user. Normally, what you send is a user name and password. So using him, Andi, I was waas michael and password. Look, if remember rightly that waas password war. Like I say, that's not a very secure password put good for demo purposes. So What should happen now is it should create the session. Just as a vivid example. I'm just gonna miss Take the password. I'm just going to see a password, even though the correct password is password one and what you should find. If I then submit this post request, I should get a forewarn authorization required. So basically, I have type in the past. Waiting correctly on Peerless obviously is just demo purposes. So status called for a war, and then a message using your or password is incorrect. Would never really explores whether it was the using him or the password. It's just to hide, basically. You know what? Watch could be wrong just to stop people from trying to guess. Actually, I've got the right use name, but it's the wrong password. So just to proceed to a bit further will just take in the correct classroom, which was Password one and what we'll do. We'll just resubmit this and this time it should log in. So send that. We should get back There you go steered us to one. Remember too Well, one is created, so it's created a session for us. It's successfully logged. Two Sim So what? We get back and these are important. We'll talk a lot about access, tokens and refresh tokens in a later video. But just for this purpose, I'll just show you what here forgot session ideas worn. So that's our session. We could have multiple sessions, Remember if we log in a different device on different devices, But what we need is this access talking. You see, it's just a random long string that's, you know you would you would probably never guess this to be fair and remember that it changes quite frequently, so it will expire. So you can see here the access talking expires in, and that's in seconds. It is stage. We're not too bothered about that because I'm just de morninto go into more detail once we implement these requirements. So now that we've got the access talk and this is what you need to provide on every request for the tasks that were going to be coming out, so I'm just gonna take a copy of that a copy. Okay, Now what we'll do is you can see I will been top across the top here for the get request. Remember the first time we try to log in. So the first time we try to retrieve a task we weren't locked in, so it's easy access. Talking is missing, except so we're gonna do now is actually hopefully get a list of tasks now at that At this stage, it will be blank because we haven't actually create any tasks yet. So what you dio is you send the access talking that we've just copied as part of a header for the http request. So in the key here, these are sort of the head of parameters that we're going to send. The one that you need to put this in is the authorization headed. So you see the authorization and then the value. All we're going to do is right, click pieced, and that's our access talk. And remember, that's that's kind of the temporal password that were given for a limited amount of time. So now I've got that. What we should do is be able to send this request now in an should return, get retrieve a list of tasks like I see it should be blank. So click send. So you see, this time it was successful. 200 isn't OK, that's fine. Success is true. No messages and in the data, we have rules return zero. And then what this would be would be a list of tasks at the moment. Obviously this non So now what we'll do, We'll actually create one. So I'm just gonna leave these tops open because we may need them later. What we're going to do now is just create a new task for every request that we send to do with create the leader of deer tasks or retrieve. We need this access talking. So I'm just gonna make sure that's copied. I'm gonna need it, go to create a new top, and remember, Post is used to create. That's what we'll do is we'll type in our and local Web developments ever, which is obviously a local Horst using month. That's what non party did it remember to create a new task. It's slash tasks because we haven't got any I d. We're not. We're not making an idea up to create a task that is system generate. That's what we do is we send opposed request to just slash tasks. Obviously, with post, you have to provide a body. So go on the body. Click on raw changes to Jason. Start the Jason body now. A task hard man, three fields. But we're going to do is we're just going to supply all of the fields that's required. Now what? Is he going back to? The requirements we hade the task title Tusk description, Test deadline. Andi completed status. So if we start with title, Andi will give this. I don't know. Just in exam