Authentication and secure access

Once you've authenticated as a Quick Base user, you can invoke API calls to access Quick Base data. Depending on how your app and account are set up, you may be required to supply the following with each API call:

Upon receiving the API call, Quick Base examines the authentication and application token you provided.

Also, Quick Base allows API access to an application only via SSL (by default) when you create an application. In some circumstances the application manager might change this requirement. For example, the application might be used by a program via the Quick Base API that does not support SSL. Read more about changing an application's SSL requirements.

About the authentication ticket

When you authenticate a user using API_Authenticate, Quick Base returns an authentication ticket in these two formats:

By default, the ticket is valid for 12 hours. You can change this default in the API_Authenticate call; you can set the duration of the ticket's validity from one hour to several days.

The user token is an alternate means of authentication for APIs and automation that is generally more secure and convenient.

Note: Beginning January 21, 2018, all new API_Authenticate tickets have a time limit of 6 months.

About application tokens

An application token is an extra string of characters used to verify that access to a Quick Base application is authorized. You create application tokens for each application you want to secure; you can then insert the app token into API calls used to access the app. Unless it contains the matching application token, API calls will not be granted access to the application.

Application tokens are optional and provide an added layer of security to protect your application. Application tokensprevent unauthorized persons from creating API calls to your application. You can create tokens from within the Quick Base application, or using the createapptoken parameter with the API_CreateDatabase call.

If you have chosen to use application tokens, you'll need to supply a valid application token with most API calls.

A developer can request from 1 to 500 application tokens. In general, developers obtain one application token and use it for all their applications.

Note: You can also create your own user tokens in Quick Base and use them to run APIs and automation. Many API calls that use a ticket can instead take the usertoken parameter. You can still use the ticket method if you prefer. The usertoken parameter can be used with any API that doesn't post to a db/main URL, and also with API_GrantedDBs.

What if an unauthorized person uses an application token?

If you determine that an unauthorized person has used someone else’s application token, you should contact Quick Base Customer Care. Our team will then remove the user's access rights and revoke the application token.

User tokens vs. application tokens

User tokens and application tokens both help secure your apps. For example, each help authenticate users and protect your apps from malicious API calls. So, when should you use a user token vs. an application token?

User tokens are a form of authentication, whereas app tokens provide permission to access an app in addition to authentication information (either as a ticket or username/password). Application tokens ensure that an API call was sent by someone permitted to make API calls against an app, while the ticket ensures it is executed by someone with permissions in the app.

Since user tokens explicitly grant API access to a specific user, they combine both purposes in the same token. So, if you choose a user token, using an application token is unnecessary. In fact, if you use a user token as your authentication method, Quick Base doesn’t even check for the application token.

In general, user tokens are your best choices, for various reasons of convenience and security. However, it’s not secure to use user tokens in APIs that are called from a browser (for example, on an app dashboard) because someone could extract the token from the JavaScript source and use it to impersonate the user whose token it is.

Supplying the authentication ticket and application or user tokens in API calls

The following table describes when you need to supply the authentication ticket, application token, or user token. It assumes you've already authenticated the user using API_Authenticate (or are using a user token).
 

Are you accessing Quick Base via a web browser (can you rely on cookies)? Are application OR USER tokens required? You must supply the following in each API call:

Yes

Yes

The application token only.

You need not supply the authentication ticket explicitly; the authentication ticket is supplied automatically by the cookie.

No

Yes

The authentication ticket, application token, or user token

Yes

No

Neither the authentication ticket, application token, or user token. The app or user token is not required, and, if you are using a web browser, the authentication ticket will be supplied automatically.

No

No

The authentication ticket or user token

Changing SSL requirements for an application

Caution: Allowing non-SSL access to your application enables third parties to see data that is transmitted. Only allow non-SSL access if absolutely necessary for your application.

SSL is a communication protocol that is often used on the Internet to prevent third parties from being able to see the data being transmitted. Because most users want their data to be as secure as possible, Quick Base does not allow non-SSL access by default when you create an application.  Users can access application data only if they are using a browser that supports SSL.

However, there are some special situations where an application manager might want to change this requirement. For example, the application might be used by a program via the Quick Base API that does not support SSL.  The application manager might then choose to allow non-SSL access via API.  This setting is less secure, and should be used only if absolutely necessary. Read more about changing the SSL requirements for an application in the online help.

Related Topics:

 

Go back    |     |  

© 1999-2017 QuickBase, Inc. All rights reserved. Legal Notices.