Zuora - How to get invoice PDF and display to user

Question

Short question: Using the get_invoices endpoint, when I try to access the URL from the InvoiceFiles.pdfFileUrl response, it pops up a api.zuora login form. I need my customers to be able to access these PDFs.

If I enter my Zuora creds, it will display the invoice, but of course my customers don't have Zuora creds.

Is there some sort of setting to allow customers to view PDFs from the URL?

Long Question:

The get_invoices endpoint returns 2 items of interest.

body is the REST URL of the invoice PDF file.

and

InvoiceFiles returns

1. id ID of the invoice PDF file. This is the ID for the file object and different from the file handle id in the pdfFileUrl field. To open a file, you need to use the file handle ID.
2. versionNumber Version number of the invoice PDF file
3. pdfFileUrl REST URL for the invoice PDF file. Click the URL to open the invoice PDF file.

Is there a difference between what is returned by body and InvoiceFiles.pdfFileUrl, and how do I use them correctly?

The pdfFileUrl can return multiple files. Each time the invoice is update (the customer pays etc) it generates another file. The most recent is the at index 0.

However trying to access any of the URLs, I get a api.zuora login form. If I enter my Zuora creds, it will display the invoice, but of course my customers don't have Zuora creds.

The example on the endpoint page has both the body and the pdfFiles return as blank so that doesn't help much.

Searched through their community for a while, nothing couldn't find anything remotely similar to my issue.

Answer 1

The best practice would be to use an authorization cookie. The cookie authorizes the user to make calls to the REST API for the duration specified in Administration > Security Policies > Session timeout in Zuora settings. The cookie expiration time is reset with this duration after every call to the REST API.

To obtain a cookie, call the REST connections resource:

curl -X POST \
-H "apiAccessKeyId: dummyUser" \
-H "apiSecretAccessKey: dummyPassword" \
-H "Content-Type: application/json" \
-d '{}' \
"https://rest.zuora.com/v1/connections"

Once the connection is established, subsequent API calls will work without the apiSecretAccessKey and apiAccessKeyId in the header.

Please find more details from their new API document. https://www.zuora.com/developer/api-reference/

Answer 2

We finally figured out how to do this. Has to be done server side.

First step was to call "/transactions/invoices/accounts/{accountId}" to get a list of invoices.

Second, pick the invoice out of the list that matched the invoice number we were trying to view.

On that object is a list called "invoiceFiles" - if it was non-empty, grab the first item.

Use the "pdfFileUrl" property on that item as the URL to fetch the PDF from, but in the GET request, include headers "apiAccessKeyId" and "apiSecretAccessKey" with the values set to our applicable api key. This eliminates the auth problem, but also makes it so you have to do this on your backend to avoid exposing your apiAccessKeyId and Secret.

Assuming the request for the PDF coming into us was authenticated, we'd do a pipe command on the response coming back from Zuora onto the outgoing response we are currently handling on our server: zuoraResponse.pipe(ourOutgoingResponseObj)

This will display the PDF directly to the user.