API Tokens is a special mechanism of the Web Services authentication designed for 3rd party integration. Unlike to others available authentication approaches in UUX, like OAUTH 2 token, the API Token mechanism does not require End-User interaction (to provide credentials for log in), what allows to use in background processes, e.g. for cross process communications (example: Data Gateway communicates with SASM Services) or for interactions
To setup a connection with Web Services using API token approach, the valid API token need to be present in System. In Administration application, the area "Integration / Web Service Tokens" presents all the Tokens.
Run action "Generate New Token" to issue new API Token.
Name, unique token name used to describe a purpose of the Token
Expires at, specifies amount of days the token stays valid. Option "Never Expires" keeps the generated token always valid until the moment the API Token is deactivated or deleted.
User, defines the Person associated with the Token. After successful authentication with API Token the System uses defined Person permissions for authorizing access to System resources.
Once the API Token is generated the System displays the Token on action result page.
The generated Token is not stored and available ONLY right after generation in Action result page. Therefore it need to be copied and saved in secure way somewhere for a continuous use
Example: Configure API Token for 3d Party integration
Use Case: The 3rd Party application "ExternalApp" need to be allowed to call a single Web Service method in SASM
- Create a Person in SASM, with name "ExtenalApp".
- Change the Audience of the needed Web Service Method to grant access for the "ExtenalApp" user
- Create API token for the "ExtenalApp" user
- Use the generated Token in external application
Using API Token for Web Service call
The SolutionBuidler uses Access Token to authenticate each Service request. To obtain the Access Token the API Token has to be exchanged using a dedicated Web Service call:
POST /m42Services/api/ApiToken/GenerateAccessTokenFromApiToken/? HTTP/1.1 Host: server.example.com Authorization: Bearer $ApiToken
The Access Token is issued for a short period of time, what allows to mitigate risks when the API Token has been compromised.
For more details see an article how to Generate and Use API tokent