User Tokens | INTERMEDIATE
What are User Tokens?
User Tokens are a form of authentication that grant API access to a specific user, providing both permission and authentication information in the same token.
Why should I use User Tokens?
✓ Eliminates the need for application tokens and don’t require any additional authentication.
✓ Provides enhanced security by limiting scope of action to only apps that you’ve assigned the token to.
✓ Can be easily assigned and unassigned as needed. Additionally, you can view latest usage, delete or temporarily deactivate your token if you suspect any security compromise.
How do I create a User Token?
- On the username dropdown navigate to: My preferences
- Under the My User Information section click the link that says Manage my user tokens for … realm and then click New user token. Enter a Name and optional Description and select the application(s) you will to assign your token to.
- After saving, you will be redirected back to My User Tokens where you will see you newly generated user token. Here, you can view the Last used date of your token. You can also activate, deactivate or delete your token from this table.
User Tokens vs Application Tokens
✓ User Tokens explicitly grant API access to a specific user and can be thought of as a combination of permission and authentication. If you are using a User Token, you don’t need an additional Application Token or app credentials.
✓ Application Tokens provide permission to access an application in addition to authentication credentials (username/password or ticket). The Application Token ensures that the external source is permitted to make API calls against the app, while the credentials ensure the calls are executed by someone with the correct permissions within the app.
- API Add Record call using XML
POST: https://target_domain/db/target_dbid? Content-Type: application/xml Content-Length: QUICKBASE-ACTION: API_AddRecord Ticket & Application Token Method <qdbapi> <udata>data</udata> <ticket>authenticationTicket</ticket> <apptoken>applicationToken</apptoken> <field fid="6">firstName</field> <field fid="7">lastName</field> <field fid="8">emailAddress</field> </qdbapi> User Token Method <qdbapi> <udata>data</udata> <usertoken>userToken</usertoken> <field fid="6">firstName</field> <field fid="7">lastName</field> <field fid="8">emailAddress</field> </qdbapi>
- API Add Record call using URL
Ticket & Application Token Method https://target_domain/db/target_dbid?a=API_AddRecord &_fid_6=firstName&_fid_7=lastName&_fid_8=emailAddress &ticket=authentication_ticket&apptoken=application_token User Token Method https://target_domain/db/target_dbid?a=API_AddRecord &_fid_6=firstName&_fid_7=lastName&_fid_8=emailAddress &usertoken=userToken
BEST PRACTICE: It is NOT SECURE to use User Tokens to make API calls from a browser (i.e. a Code Page) as they can easily be extracted from the source code. Always treat User Tokens as if they were a username/password and store them privately.
To apply what you’ve learned about User Tokens to your next app, take a look at our API AddRecord article. This will give you the information you need to create new Quick Base records. If you’re looking for more information about Application Tokens click here to learn more!
- Author: James De Roche (firstname.lastname@example.org )
- Date Submitted: 1/3/2019