2023-09-18 12:48:16 +02:00
|
|
|
---
|
|
|
|
|
title: Authentication
|
|
|
|
|
layout: default
|
|
|
|
|
parent: API
|
|
|
|
|
nav_order: 2
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# Authentication
|
|
|
|
|
|
2023-10-15 13:21:14 +02:00
|
|
|
To use API endpoints, the external application has to authenticate itself, so that Part-DB knows which user is accessing
|
|
|
|
|
the data and which permissions
|
|
|
|
|
the application should have during the access. Authentication is always bound to a specific user, so the external
|
|
|
|
|
applications is acting on behalf of a
|
2024-02-23 13:56:23 +01:00
|
|
|
specific user. This user limits the permissions of the application so that it can only access data, which the user is
|
2023-10-15 13:21:14 +02:00
|
|
|
allowed to access.
|
2023-09-18 12:48:16 +02:00
|
|
|
|
|
|
|
|
The only method currently available for authentication is to use API tokens:
|
|
|
|
|
|
|
|
|
|
## API tokens
|
|
|
|
|
|
2024-02-23 13:56:23 +01:00
|
|
|
An API token is a long alphanumeric string, which is bound to a specific user and can be used to authenticate as this user when accessing the API.
|
2024-01-25 13:22:01 +01:00
|
|
|
The API token is passed via the `Authorization` HTTP header during the API request, like the
|
|
|
|
|
following: `Authorization: Bearer tcp_sdjfks....`.
|
2023-09-18 12:48:16 +02:00
|
|
|
|
|
|
|
|
{: .important }
|
2023-10-15 13:21:14 +02:00
|
|
|
> Everybody who knows the API token can access the API as the user, which is bound to the token. So you should treat the
|
|
|
|
|
> API token like a password
|
2023-09-18 12:48:16 +02:00
|
|
|
> and keep it secret. Only share it with trusted applications.
|
|
|
|
|
|
2023-10-15 13:21:14 +02:00
|
|
|
API tokens can be created and managed on the user settings page in the API token section. You can create as many API
|
|
|
|
|
tokens as you want and also delete them again.
|
|
|
|
|
When deleting a token, it is immediately invalidated and can not be used anymore, which means that the application can
|
|
|
|
|
not access the API anymore with this token.
|
2023-09-18 12:48:16 +02:00
|
|
|
|
|
|
|
|
### Token permissions and scopes
|
|
|
|
|
|
|
|
|
|
API tokens are ultimately limited by the permissions of the user, which belongs to the token. That means that the token
|
2024-02-23 13:56:23 +01:00
|
|
|
can only access data, that the user is allowed to access, no matter the token permissions.
|
2023-09-18 12:48:16 +02:00
|
|
|
|
|
|
|
|
But you can further limit the permissions of a token by choosing a specific scope for the token. The scope defines which
|
2023-10-15 13:21:14 +02:00
|
|
|
subset of permissions the token has, which can be less than the permissions of the user. For example, you can have a
|
|
|
|
|
user
|
|
|
|
|
with full read and write permissions, but create a token with only read permissions, which can only read data, but not
|
2023-09-18 12:48:16 +02:00
|
|
|
change anything in the database.
|
|
|
|
|
|
|
|
|
|
{: .warning }
|
2023-10-15 13:21:14 +02:00
|
|
|
> In general, you should always use the least possible permissions for a token, to limit the possible damage, which can
|
|
|
|
|
> be done with a stolen token or a bug in the application.
|
|
|
|
|
> Only use the full or admin scope, if you really need it, as they could potentially be used to do a lot of damage to
|
|
|
|
|
> your Part-DB instance.
|
2023-09-18 12:48:16 +02:00
|
|
|
|
2024-02-23 13:56:23 +01:00
|
|
|
The following token scopes are available:
|
2023-09-18 12:48:16 +02:00
|
|
|
|
2023-10-15 13:21:14 +02:00
|
|
|
* **Read-Only**: The token can only read non-sensitive data (like parts, but no users or groups) from the API and can
|
|
|
|
|
not change anything.
|
|
|
|
|
* **Edit**: The token can read and write non-sensitive data via the API. This includes creating, updating and deleting
|
|
|
|
|
data. This should be enough for most applications.
|
|
|
|
|
* **Admin**: The token can read and write all data via the API, including sensitive data like users and groups. This
|
2024-02-23 13:56:23 +01:00
|
|
|
should only be used for trusted applications, which need to access sensitive data and perform administrative actions.
|
|
|
|
|
* **Full**: The token can do anything the user can do, including changing the user's password and creating new tokens. This
|
2023-10-15 13:21:14 +02:00
|
|
|
should only be used for highly trusted applications!!
|
2023-09-18 12:48:16 +02:00
|
|
|
|
2023-10-15 13:21:14 +02:00
|
|
|
Please note, that in early versions of the API, there might be no endpoints yet, to really perform the actions, which
|
|
|
|
|
would be allowed by the token scope.
|
2023-09-18 12:48:16 +02:00
|
|
|
|
|
|
|
|
### Expiration date
|
|
|
|
|
|
|
|
|
|
API tokens can have an expiration date, which means that the token is only valid until the expiration date. After that
|
|
|
|
|
the token is automatically invalidated and can not be used anymore. The token is still listed on the user settings page,
|
|
|
|
|
and can be deleted there, but the code can not be used to access Part-DB anymore after the expiration date.
|
|
|
|
|
|
|
|
|
|
### Get token information
|
|
|
|
|
|
2023-10-15 13:21:14 +02:00
|
|
|
When authenticating with an API token, you can get information about the currently used token by accessing
|
|
|
|
|
the `/api/tokens/current` endpoint.
|
|
|
|
|
It gives you information about the token scope, expiration date and the user, which is bound to the token and the last
|
|
|
|
|
time the token was used.
|
