This offseason we are planning a major upgrade to the infrastructure that supports the MyFantasyLeague.com web site. This upgrade will allow us to continue to improve our product and offer some enhancements that many of our users have been asking for. However due to this, it will require changes to any API clients. Without this changes, all third party applications will cease to work.
There are two main changes. The first is regarding hostnames and the second deals with user authorization.
For hostnames, in the past the API calls have been accessible via URLs such as footballXX.myfantasyleague.com, where XX is a one or two digit number. The new hostnames will be of the form wwwXX where XX is a two-digit number. Some non-league specific requests will also be accepted at www.myfantasyleague.com the way football.myfantasyleague.com was used before. Requests should be directed to the proper server (if sent to the wrong one, the system will return a redirect like in the past). In general no real changes are needed here other than verifying that you don't have any hardcoded hostnames in your code or any logic that assumes 'footballXX' as a hostname.
The second and more significant change is that we are introducing the concept of Single Sign On for all leagues. That means that users will be able to access all their leagues with a single user name/password combination, instead of having to enter a password on every league, which is something that many customers have been requesting for a long time.
This also requires an important change on how to access league and franchise info via the API.
Basically all information that requires user verification required the API client to pass in a cookie with the session id. The new process is similar but the specifics have changed. The new sequence of steps is this:
- Prompt for the customer's username and password.
- Programmatically call:
- passing in a valid league id (L parameter), username and password. The HOST value is the server hosting the league.
- If you are prompting for this info outside a league context, you may skip the L parameter and may use any valid hostname.
- If valid information is passed into the login program, the response will include a <status cookie_name="cookie_value"...>.
- If invalid information is passed into the login program, it will respond with an <error... status message> response.
- The returned cookie name/value pair should be passed back in via a standard HTTP header cookie in the format: "Cookie: MFL_USER_ID=cookie_value" in all subsequent calls to the import program that you make while that user is logged in.
- Note that the cookie value is a Base64 string. That means it may contain the special symbols '+', '/' and/or '='. Depending on your environment, you may need to explicitly URL-escape these symbols before passing them back to us (e.g. converting '=' to '%3D').
Some export functions require the passing of league password in order to return commissioner-only information. That's no longer necessary. This information will be returned if a user is logged in as a user with commissioner access.
You should also implement a logout functionality, in which case should consist of deleting the user cookie info and not passing in subsequent calls.
The timing for this is not fully set, but we are hoping to launch this during the second week of March (March 7 or so). The launch process is quite complex and will require a 1-2 day outage. During this time none of the API functionality will be available (as the site won't be available either). After the upgrade is completed, the old API's won't work. We wanted to make them backward compatible, but that turned out to be too complex and not worth the effort involved.
After the upgrade, the documentation on the site will be updated too.
Any questions or comments are welcome and you may post them in this newly created forum.