Authentication and secure access

Once you've authenticated as a Quick Base user, you can invoke API calls to access Quick Base data. Depending on how your app and account are set up, you may be required to supply the following with each API call:

  • An authentication ticket or user token – to authenticate yourself to Quick Base
  • An application token for the app that the API call will access – some apps require an application token to be provided in addition to a means of authentication.

Upon receiving the API call, Quick Base examines the authentication and application token you provided.

  • Authenticating with a ticket: If the ticket is valid, the API call is allowed to proceed. If the app also requires an application token, that is also checked before the API call can proceed.
  • Authenticating with a user token: If you authenticate yourself to Quick Base with a user token, no application token is needed, even if one is assigned to the app you’re accessing. The user token can be assigned to one or more apps, and provides built-in security that ticket authentication does not. However, user tokens are not allowed for all API calls – see the User Tokens topic for more information.

About the authentication ticket

When you authenticate a user using API_Authenticate, Quick Base returns an authentication ticket in these two formats:

  • a browser cookie--If you are using a web browser to access Quick Base, Quick Base uses the ticket cookie returned by the API_Authenticate call to authenticate users. If you are using a browser and have enabled cookies, Quick Base continues to use the cookie after the user has authenticated; you need not supply the cookie with each API call after you've authenticated the user with API_Authenticate.

  • an XML representation of the ticket for inclusion in subsequent API calls--If you are NOT accessing Quick Base using a web browser or you've not enabled cookies, you must supply the XML representation of the ticket in each API call. (Do NOT hard code the username and password parameter and their values in your request, even if you are using https.)

By default, the ticket is valid for 12 hours. You can change this default in the API_Authenticate call; you can set the duration of the ticket's validity from one hour to several days.

The user token is an alternate means of authentication for APIs and automation that is generally more secure and convenient.

Note: API_Authenticate calls have a maximum time limit of 4,380 hours, or approximately 6 months. This applies to new tickets initiated on or after January 21, 2018.

About application tokens

An application token is an extra string of characters used to verify that access to a Quick Base application is authorized. You create application tokens for each application you want to secure; you can then insert the app token into API calls used to access the app. Unless it contains the matching application token, API calls will not be granted access to the application.

Application tokens are optional and provide an added layer of security to protect your application. Application tokensprevent unauthorized persons from creating API calls to your application. You can create tokens from within the Quick Base application, or using the createapptoken parameter with the API_CreateDatabase call.

If you have chosen to use application tokens, you'll need to supply a valid application token with most API calls.

A developer can request from 1 to 500 application tokens. In general, developers obtain one application token and use it for all their applications.

Note: You can also create your own user tokens in Quick Base and use them to run APIs and automation. Many API calls that use a ticket can instead take the usertoken parameter. You can still use the ticket method if you prefer. The usertoken parameter can be used with any API that doesn't post to a db/main URL, and also with API_GrantedDBs.

What if an unauthorized person uses an application token?

If you determine that an unauthorized person has used someone else’s application token, you should contact Quick Base Customer Care. Our team will then remove the user's access rights and revoke the application token.

User tokens vs. application tokens

User tokens and application tokens both help secure your apps. For example, each help authenticate users and protect your apps from malicious API calls. So, when should you use a user token vs. an application token?

User tokens are a form of authentication, whereas app tokens provide permission to access an app in addition to authentication information (either as a ticket or username/password). Application tokens ensure that an API call was sent by someone permitted to make API calls against an app, while the ticket ensures it is executed by someone with permissions in the app.

Since user tokens explicitly grant API access to a specific user, they combine both purposes in the same token. So, if you choose a user token, using an application token is unnecessary. In fact, if you use a user token as your authentication method, Quick Base doesn’t even check for the application token.

In general, user tokens are your best choices, for various reasons of convenience and security. However, it’s not secure to use user tokens in APIs that are called from a browser (for example, on an app dashboard) because someone could extract the token from the JavaScript source and use it to impersonate the user whose token it is.

Supplying the authentication ticket and application or user tokens in API calls

The following table describes when you need to supply the authentication ticket, application token, or user token. It assumes you've already authenticated the user using API_Authenticate (or are using a user token).

Are you accessing Quick Base via a web browser (can you rely on cookies)? Are application OR USER tokens required? You must supply the following in each API call:



The application token only.

You need not supply the authentication ticket explicitly; the authentication ticket is supplied automatically by the cookie.



The authentication ticket, application token, or user token



Neither the authentication ticket, application token, or user token. The app or user token is not required, and, if you are using a web browser, the authentication ticket will be supplied automatically.



The authentication ticket or user token

Related Topics:


Go back    |     

© 1999-2019 QuickBase, Inc. All rights reserved. Legal Notices.