API Tokens is a special mechanism of the Web Services authentication designed for 3rd party integration. Unlike other available authentication approaches in UUX, the API Token mechanism does not require End-User interaction (to provide credentials for login), which allows for it to be used in background processes, e.g. for cross-process communications (example: Data Gateway communicates with SASM Services) or for interactions.
For more details about the Token Authentication see the Secure Token Service configuration
The API Token is a wide-spread approach for implementing machine integration. On creation of the API Token the System automatically generates the JWT token encoded with the Private Key using SHA256 algorithm. The Token is not persisted to the database, and visible only for the person who requested it. Before closing the page with the Token, it needs to be copied for further usage.
The Token (Secret) used by an integrated application needs to be properly protected to avoid the unauthorized person could read it. For example, Workflow Worker stores the API Token in the Config file encrypted with the Machine Key.
The API Token is regularly sent to the Application Server for verifying validity and issuing the short-time Access Token which could be used further for running Web API services.
If the API Token was not stored correctly and was compromised, the only what you need to do to protect the System, just Delete or Disable the corresponding to Web Service Token in the Administration.
For better security, it is recommended to issue API Tokens with a shorter lifetime (e.g 30 days).
To setup a connection with Web Services using the API token approach, the valid API token needs to be present in the System. In Administration application, the "Integration / Web Service Tokens" area presents all the Tokens.
Run action "Generate New Token" to issue a new API Token.
Name, unique token name used to describe the purpose of the Token.
Expires at, specifies amount of days the token stays valid. Option "Never Expires" keeps the generated token always valid until the moment the API Token is deactivated or deleted.
User, defines the Person associated with the Token. After successful authentication with API Token, the System uses defined Person permissions for authorizing access to System resources.
Once the API Token is generated, the System displays the Token on the action result page.
The generated Token is not stored and available ONLY right after the generation on the Action result page. Therefore, it need to be copied and saved in a secure way somewhere for continuous use.
Example: Configure API Token for 3d Party integration
Use Case: The 3rd Party application "ExternalApp" needs to be allowed to call a single Web Service method in SASM
- Create a Person in SASM, with name "ExtenalApp".
- Change the Audience of the needed Web Service Method to grant access for the "ExtenalApp" user
- Create API token for the "ExtenalApp" user
- Use the generated Token in external application
Using API Token for Web Service call
The SolutionBuidler uses Access Token to authenticate each Service request. To obtain the Access Token the API Token has to be exchanged using a dedicated Web Service call:
POST /m42Services/api/ApiToken/GenerateAccessTokenFromApiToken/? HTTP/1.1 Host: server.example.com Authorization: Bearer $ApiToken
The Access Token is issued for a short period of time, which allows mitigating risks when the API Token has been compromised.
For more information, see the how to Generate and Use API token article.