Knowledge Base

Application Tokens | INTERMEDIATE

What are Application Tokens

Application token is an extra string of characters inserted within an API call in addition to a username/password or ticket for authentication. This string must match one of the assigned application tokens in your app (if you require them) for the API call to be executed.

Why should I use Application Tokens?

Advanced developers interact with Quick Base through Code Pages and external applications via the Quick Base HTTP API. Application tokens provide an additional level of security by preventing unauthorized persons from making API calls to your application.

BEST PRACTICE: If your application is not using sensitive data, you can disable Application Tokens. However, it is still best to include them to prevent any malicious behavior.


How do I enable Application Tokens?

  1. From the application Home page, navigate to: Settings > App properties

  2. Around the middle of the page, you will see Security Options listed under the Advanced Settings section. If the Require Application Tokens box is checked, application tokens are enabled. To disable, uncheck this box. Click the Manage Application Token link to view and assign tokens to your application.

  1. If this is a new application, there will typically not be any Application Tokens listed (application copies being the exception, but we’ll get to that later). From this screen, you will have the ability to assign existing tokens from other applications, create new tokens and remove tokens.


Assigning an existing Application Token

If you already have Application Tokens being used in another application within your realm, then you can assign them here. Often times, a developer will choose to use one token across multiple applications. You also have the ability to create your own custom token using this method.

  1. To start, click Assign Existing Application Token and the following screen will appear:

  1. If you have an Application Token that you are using from another app, select your token from the Choose Existing Token drop down. To use a custom token, select Enter Token and input your token beneath.

  2. You can choose to add a Description or leave it blank. If you have multiple persons using tokens in your apps/realms it is best to include a description (although the creator’s name will also appear).

  3. If you want to allow your Application Token to be copied when creating a copy of your application, select the OK to Copy option otherwise leave this unchecked.

  4. Click OK to assign the token for use in your application.


Creating a new Application Token

  1. To start, click Create New Application Token and the following screen will appear:

  1. You can choose to add a Description or leave it blank. If you have multiple persons using tokens in your apps/realms it is best to include a description (although the creator’s name will also appear).

  2. If you want to allow your Application Token to be copied when creating a copy of your application, select the OK to Copy option otherwise leave this unchecked.

  3. The Application Token string will be generated after you click OK.


Removing existing Application Tokens

  1. Manage Application Tokens page you will see a list of all existing Application Tokens assigned to your app:

  1. To remove a token, simply click the Remove button to the far right of the table row. There is no prompt screen and your token will be removed immediately after clicking.

Application Tokens vs User Tokens

✓ Application Tokens provide permission to access an application in addition to authentication credentials (username/password or ticket). The Application Token ensures that the external source is permitted to make API calls against the app, while the credentials ensure the calls are executed by someone with the correct permissions within the app.

✓ User Tokens explicitly grant API access to a specific user and can be thought of as a combination of permission and authentication. If you are using a User Token, you don’t need an additional Application Token or app credentials.


Example Usage

  1. API Add Record call using XML
POST: https://target_domain/db/target_dbid?
Content-Type: application/xml
Content-Length:
QUICKBASE-ACTION: API_AddRecord

Ticket & Application Token Method
<qdbapi>
    <udata>data</udata>
    <ticket>authenticationTicket</ticket>
    <apptoken>applicationToken</apptoken>
    <field fid="6">firstName</field>
    <field fid="7">lastName</field>
    <field fid="8">emailAddress</field>
</qdbapi>

User Token Method
<qdbapi>
    <udata>data</udata>
    <usertoken>userToken</usertoken>
    <field fid="6">firstName</field>
    <field fid="7">lastName</field>
    <field fid="8">emailAddress</field>
</qdbapi>
  1. API Add Record call using URL
Ticket & Application Token Method
https://target_domain/db/target_dbid?a=API_AddRecord
&_fid_6=firstName&_fid_7=lastName&_fid_8=emailAddress
&ticket=authentication_ticket&apptoken=application_token

User Token Method
https://target_domain/db/target_dbid?a=API_AddRecord
&_fid_6=firstName&_fid_7=lastName&_fid_8=emailAddress
&usertoken=userToken

BEST PRACTICE: It is NOT SECURE to use User Tokens to make API calls from a browser (i.e. a Code Page) as they can easily be extracted from the source code. Always treat User Tokens as if they were a username/password and store them privately.


To apply what you’ve learned about Application Tokens to your next app, take a look at our API AddRecord article. This will give you the information you need to create new Quick Base records. If you’re looking for more information about User Tokens click here to learn more!



Copyright ©2020 - Quandary Consulting Group