Access Tokens
Cloud Connect uses access tokens to authenticate API requests. Whenever a request is made, the token must not only be a real token but have the requisite permissions for making its request; in other words, different levels of tokens have varying levels of permissions.
There are two types of access tokens:
- User tokens are used for authenticating users when using the site and/or API.
- Device tokens are used for authenticating devices when they try to access the API to:
- Retrieve info about themselves (via the
devicesAPI) - Send and/or receive data over MQTT
- Upload data files
- Get and download OTA file updates
- Retrieve info about themselves (via the
Whenever an API request is made, a valid access token must be included in its entirety in the x-access-token header.
- This can be either a device or user token, but keep in mind both are subject to feature restrictions.
- If using Postman, go to the Headers tab of the request to edit the token.
- The
x-access-tokenfield may have to be manually added if it isn’t there already.
- The
To get your user token:
- Navigate to the Settings page via the nav menu.
- Click the
Extras section in the section selector. - Ensure the
token-hotkeyfeature flag is toggled on. - Press the
tkey to copy your user token. This hotkey will work anywhere in the site.
To get the token for an MRS-supplied device:
- Access the file
/etc/spoke-zone/spoke-zone.confon the device. - The device token is stored in the
mqtt_usernamevariable.
Contents
Section titled “Contents”Go to jwt.io to parse the contents of an access token.
User tokens contain lots of information about the user: username, permissions, organization ID, etc.
Device tokens contain the device ID and MQTT publishing prefix.
Acquisition
Section titled “Acquisition”User Tokens
Section titled “User Tokens”You can obtain a user access token via the following methods:
- You can log into Cloud Connect and press the
tkey on your keyboard to copy your user token to your clipboard.- For this to work, you have to enable the
token-hotkeyfeature flag on theExtras section of the Settings page.
- For this to work, you have to enable the
- You can make a request to the POST
/loginendpoint.- The body of the request should be in JSON format and include
passwordandusernamevariables. - If the request was successful, the API will send a
200response with a JSON object containing thetokenfor that user.
- The body of the request should be in JSON format and include
Device Tokens
Section titled “Device Tokens”You can obtain a device access token via the following methods:
- When successfully creating a device using the POST
/api/v2/devicesendpoint atokenwill be provided in the response. - You can make a request to the POST
/loginDeviceendpoint.- The body of the request should be in JSON format and include
cpu_id,uuidandtokenvariables.- The provided
tokenmust be a previously issued device token for the same device.- If the token is expired or expires within the next 12 hours, the API validates the provided
cpu_idanduuidand issues a new token. - If the token is valid for more than 12 hours, the API returns
200with"Token is valid"instead of issuing a new token.
- If the token is expired or expires within the next 12 hours, the API validates the provided
- The provided
- If the API issues a new token, it sends a
201response with a JSON object containing the renewedtokenfor that device.
- The body of the request should be in JSON format and include
- You can make a request to the GET
/api/v2/devices/:id/secretsendpoint.- Devices cannot call this endpoint.
- Requests sent to this endpoint authenticated with a device token will receive an error message.
- Users with super role don’t need to provide any extra parameters.
- Non-super users must include the correct
cpuIdquery parameter.- Example: GET
/api/v2/devices/:id/secrets?cpuId=<device-cpu-id>
- Example: GET
- If the request was successful, the API will send a
200response with a JSON object containing thecpuId,uuidand a renewedtokenfor the device.
- Devices cannot call this endpoint.