Application Tokens

This topic refers to functionality that is not available to accounts on the Quick Base Essential plan. If the functionality described here does not match what you're seeing in Quick Base, your account is probably on this plan.

Advanced programmers have the ability to create web pages and other systems that interact with Quick Base. This fancy coding is possible through the Quick Base HTTP API. If you plan to make API calls to your application, you'll want to use either user tokens or application tokens.

An application token is an extra string of characters you insert within an API call if the call is using a ticket or username/password for authentication. That string must match one of the application tokens assigned to the application your API call targets. You control whether or not your application requires tokens.

Note: If the API call passes a user token for authentication, an application token is unnecessary. Learn more

User tokens vs. application tokens

User tokens and application tokens both help secure your apps. So, when should you use a user token vs. an application token?

User tokens are a form of authentication, whereas app tokens provide permission to access an app in addition to authentication information (either as a ticket or username/password). Application tokens ensure that an API call was sent by someone permitted to make API calls against an app, while the ticket ensures it is executed by someone with permissions in the app.

Since user tokens explicitly grant API access to a specific user, they combine both purposes in the same token. So, if you use a user token, you don't need to use an application token. In fact, if you use a user token as your authentication method, Quick Base doesn’t even check for the application token. However, note that it’s not secure to use user tokens in APIs that are called from a browser (for example, on an app dashboard) because someone could extract the token from the JavaScript source and use it to impersonate the user whose token it is. In general, you should treat user tokens with the same care as you do username/passwords.

FAQs

Why should I use application tokens?

Application tokens are an added layer of security to protect your application. Application tokens prevent unauthorized persons from creating API calls to your application. You can require application tokens for all your applications.

If you later decide you don't want to use app tokens and your application does not contain sensitive data, you can disable tokens for that application. If you do so, API calls will work, even if they specify an application token. But Quick Base recommends using app tokens unless you authenticate using a user token.

When should I disable application tokens?

If you want to use exact forms, disable application tokens. If you're having trouble incorporating a Quick Base add-on or wizard that uses application tokens, you can disable them. Likewise, if your application features formula URL fields that include API calls, you can save yourself the trouble of updating those calls with application tokens by disabling application tokens. But disabling application tokens is a workaround solution and means that you'll lose the additional level of security that app tokens provide. In these cases, you can authenticate with a user token to protect your app against malicious access.

Generating a token is a one or two-step process, depending upon whether the token exists already:

Access the Manage Application Tokens page

From the Manage Application Tokens page, you can view application tokens for this app, create new tokens, and assign existing tokens to this app.

To access the Manage Application Tokens page, or view application tokens:
  1. In the App bar, select the application you want, click SETTINGS, then click App properties.

  2. Click Advanced settings to expand the section, if needed.

  3. Under Application Tokens, click the Manage Application Token link.

Create and assign an application token

You can create a token and assign it to an application at the same time. When you do so, the token will be available for assignment to other applications too.

To create a new application token:
  1. Access the Manage Application Tokens page.

  2. Click Create New Application Token.

  3. Type in a description to remind you what the token does.

  4. If you want Quick Base to copy this token when you copy the application, turn on the Ok to Copy checkbox.

  5. Click OK.

    The new token appears in the list of application tokens. API calls containing this token can now interact with the application. The new token is available for assignment to other applications.

Assign an existing token to an application

If the token you want to assign already exists, assign it to the app with which you want API calls to work.

To assign an existing token to the current app:
  1. Access the Manage Application Tokens page.

  1. Click Assign Existing Application Token.

  2. Paste or type in the application token.

    Alternatively, you can choose an existing token: click Choose Existing Token, and choose a token from the dropdown.

  3. Type in a description to remind you what the token does.

  4. Select the OK to Copy checkbox to copy this token when you copy the application.

  5. Click OK. API calls containing this token can now interact with the application.

Sample URL featuring an API call with token

Insert the token as you'd insert any parameter in a URL string:

&apptoken=token

Replace token with the actual token itself, as in this example:

https://myaccount.quickbase.com/db/bdz6zm7uy?a=api_clonedatabase&newdbname=MyTestApp&newdbdesc=Testing&keepData=1&apptoken=bghbnjfu7s9amn7akduwomaytzy

Further details on crafting API calls are available in the Quick Base HTTP API documentation.

Related Topics:

 

Go back      |       

© 1999-2018  QuickBase, Inc.  All rights reserved.  Legal Notices.