About User Tokens

You can create your own user tokens in Quick Base and use them to run APIs and automation with your permissions. Many API calls that use a ticket can instead take a parameter called usertoken. You can still use the ticket method if you prefer. The user token parameter can be used with any API that doesn't post to a db/main URL, and also with API_GrantedDBs.

Benefits of user tokens

User tokens offer an array of benefits, including:

  • Eliminates the need for application tokens.
  • Greater convenience, because user tokens are pre-generated, and don't require a call to API_Authenticate.
  • SAML/LDAP customers can use Quick Base APIs without creating a robot user or Gmail user. With user tokens, now SAML users can create a token and call APIs with their own permissions.
  • If you're a Quick Base Solution Provider, you can add user tokens to your scripts that won’t expire, so you won't have to find and fix authentication errors.
  • Enhanced security:
    • The scope of action is limited to just the apps you've assigned the user token to.
    • You can easily unassign a token from an app.
    • The user token can't be used to authenticate to the user interface (e.g., in URLs).
    • You can see when a user token was last used.
    • You can deactivate a token temporarily to debug a call or even quickly delete the user token if you suspect your app's security has been compromised.

Example

Here's an example of an API call using a ticket:
<qdbapi>

<udata>mydata</udata>
<ticket>auth_ticket</ticket>
<apptoken>app_token</apptoken>
<field fid=”8”>party at Lindisfarne</field>
<field fid="9">dress in style of the epoch</field>
<field fid="10">lindisfarne island</field>
</qdbapi>

Here's the equivalent action replacing the ticket with a user token (note that the apptoken is not necessary):

<qdbapi>
<udata>mydata</udata>
<usertoken>user_token</usertoken>
<field fid=”8”>party at Lindisfarne</field>
<field fid="9">dress in style of the epoch</field>
<field fid="10">lindisfarne island</field>
</qdbapi>

User tokens vs. application tokens

User tokens and application tokens both help secure your apps. For example, each help authenticate users and protect your apps from malicious API calls. So, when should you use a user token vs. an application token?

User tokens are a form of authentication, whereas app tokens provide permission to access an app in addition to authentication information (either as a ticket or username/password). Application tokens ensure that an API call was sent by someone permitted to make API calls against an app, while the ticket ensures it is executed by someone with permissions in the app.

Since user tokens explicitly grant API access to a specific user, they combine both purposes in the same token. So, if you use a user token, you don't need to use an application token. In fact, if you use a user token as your authentication method, Quick Base doesn’t even check for the application token. However, note that it’s not secure to use user tokens in APIs that are called from a browser (for example, on an app dashboard) because someone could extract the token from the JavaScript source and use it to impersonate the user whose token it is. In general, you should treat user tokens with the same care as you do username/passwords.

Create and assign a user token

You can create a user token and assign it to an application at the same time. When you do so, the token will be available for assignment to other applications too.

To create a new user token:
  1. On the user dropdown on the global bar, choose My preferences.

  2. Under My User Information, click the link for Manage my user tokens for realm ...

  3. Click the New user token button.

  4. Click OK.

  5. In the Basics section, enter a Name and a Description for your token.

    Create a new user token

  6. In the Assign token to apps section, click the dropdown arrows to select which apps you want to assign this token to. You can assign a token to as many as 20 apps.

    assign tokens

  7. Click Save.

  8. The new token appears in the list of user tokens. API calls containing this token can now interact with the application. The new token is also available for assignment to other applications.

    token list