Export and Delete User Data

As part of compliance with GDPR and CCPA regulations, users need to be able to request the information that has been collected about them. OpenWeb enables you to provide this information in response to a user's request.


Required items

ItemLocating the value
OpenWeb Spot ID
(Required only for user data exports)
1. Log into your Admin Dashboard.
2. Copy your Spot ID from the URL: https://admin.spot.im/spot/{SPOT_ID}/...
Export token
(Required only for user data exports)
1. From your OpenWeb Admin Dashboard, click Settings.
2. In the Authentication Tokens, copy the export token.
SSO access tokenRequest this from your OpenWeb PSM


Export user data

  1. Make a GET /v1/user/{primary_key} call which includes your SSO access token in the request header. The primary_key is the unique user ID generated by your backend user management system. Making this call enables you to obtain the user's OpenWeb user ID.

    This must be a backend-to-backend call to maintain the security of your access token.

    Within the API response, user.spotim_user_id is the OpenWeb user ID.
GET https://www.spot.im/api/sso/v1/user/:primary_key
Header: x-spotim-sso-access-token: ACCESS_TOKEN
{
    "success": true,
    "user": {
        ...
        "spotim_user_id": "USER_ID",
        ...
    }
}

  1. Make a POST /gdpr/export call with your Spot ID, export token, and OpenWeb user ID. The POST call returns the export ID.
POST https://open-api.spot.im/gdpr/export

{ 
    "access_token": "1234567890",  
    "spot_id": "sp_123",  
    "user_id": "u_123"
}



Get user data export status

  1. Follow the steps in the Export user data section to obtain the OpenWeb user ID and export ID.
  2. Make a GET /gdpr/export/status/{ID}?access_token={TOKEN}&spot_id={SPOT_ID} request. Be sure to replace the following placeholders:

    {ID}: Replace with the export ID
    {SPOT_ID}: Replace with your Spot ID
    {TOKEN}: Replace with the export token.

    This GET call returns the status.
GET https://open-api.spot.im/gdpr/export/status/{ID}?access_token={TOKEN}&spot_id={SPOT_ID}
{
   "status": "pending"
}
{
   "status": "completed",
   "link": "{download_link}"
}
{
   "status": "failed"
}

Export Files

When the export completes ("status":"completed"), the response includes a link to a .zip file with the user's data. The .zip file includes the following JSON files:

dislikes.json: Single array of all disliked comments by the user
[
  "MESSAGE_ID4",
  "MESSAGE_ID5",
  "MESSAGE_ID6"
]

likes.json: Single array of all liked comments by the user
[
  "MESSAGE_ID",
  "MESSAGE_ID2",
  "MESSAGE_ID3"
]

messages.json: All of the user's message metadata
[
  {
    "manually_resolved":null,
    "author_id":"OW_USER_ID",
    "moderator_id":"OW_USER_ID",
    "spot_id":"SPOT_ID",
    "state":"approved",
    "parent_comment_id":"COMMENT_ID",
    "conversation_id":"CONVERSATION_ID",
    "published":true,
    "conv_message_id":"MESSAGE_ID",
    "written_at":1669567812,
    "content":[
      {
        "id":"CONTENT_ID",
        "text":"MESSAGE",
        "type":"text"
      }
    ],
    "stars":null,
    "metadata":{},
    "tags":null,
    "tags_metadata":null,
    "type":"reply",
    "never_hard_delete":null,
    "additional_data":{"labels":{}},
    "anonymous_user_id":null,
    "anonymous_user_name":null,
    "anonymous_image_id":null,
    "ip":"USER_IP_ADDRESS",
    "edited":null,
    "token":null,
    "id":"MESSAGE_ID"
  }
]

profile.json: User's profile metadata and roles
{
  "user_id":"OPEN_USER_ID",
  "registered":true,
  "social_ids":[],
  "sso":null,
  "roles":[
    {"role":"owner","stage":"SPOT_ID"},
    {"role":"moderator","stage":"SPOT_ID"},
    {"role":"team-member","stage":"SPOT_ID"},
    {"role":"registered","stage":"system"}
  ],
  "basic":{
    "user_name":"USER_NAME",
    "display_name":"DISPLAY_NAME",
    "image_id":null,
    "gender":null,
    "birthday":"BIRTHDATE",
    "about":null,
    "location":null,
    "email":"EMAIL",
    "email_verified":true
  }
}

🚧

The .zip file link will only be available for 60 days.



Delete user data

When requested by a user, you must delete the user’s OpenWeb account to remain compliant with GDPR and CCPA regulations.

  1. Make a GET /v1/user/{primary_key} call which includes your SSO access token in the request header. The primary_key is the unique user ID generated by your backend user management system. Making this call enables you to obtain the user's OpenWeb user ID.

    This must be a backend-to-backend call to maintain the security of your access token.

    Within the API response, user.spotim_user_id is the OpenWeb user ID.
GET https://www.spot.im/api/sso/v1/user/{primary_key}
Header: x-spotim-sso-access-token: ACCESS_TOKEN
{
    "success": true,
    "user": {
        ...
        "spotim_user_id": "USER_ID",
        ...
    }
}

  1. Make a DELETE /v1/user/{primary_key} call which includes your SSO access token in the request header.
DELETE https://www.spot.im/api/sso/v1/user/{primary_key}
Header: x-spotim-sso-access-token: ACCESS_TOKEN

Once the user has been deleted, comments by the deleted user remain and are linked to a random guest user.