About User Tokens

This topic refers to functionality that is not available to accounts on the Quick Base Essential plan. If the functionality described here does not match what you're seeing in Quick Base, your account is probably on this plan.

You can create your own user tokens in Quick Base and use them to run APIs and automation with your permissions. Many API calls that use a ticket can instead take a parameter called usertoken. The user token parameter can be used with any API that doesn't post to a db/main URL, and also with API_GrantedDBs.

Tip: We recommend you create a system or service user for your user tokens.

Benefits of user tokens

User tokens offer the following benefits:

  • Eliminates the need for app tokens.
  • Greater convenience, because user tokens are pre-generated, and don't require a call to API_Authenticate.
  • Enhanced security:
    • The scope of action is limited to just the apps you've assigned the user token to.
    • You can easily unassign a token from an app.
    • The user token can't be used to authenticate to the user interface (e.g., in URLs).
    • You can see when a user token was last used.
    • You can deactivate a token temporarily to debug a call or even quickly delete the user token if you suspect your app's security has been compromised.
    • SAML customers can use Quick Base APIs without creating a robot user or Gmail user. With user tokens SAML users can create a token and call APIs with their own permissions.
    • If you're a Quick Base Solution Provider, you can add user tokens to your scripts that won’t expire to avoid having to find and fix authentication errors.

Examples

Here's an example of an API call using a ticket:

<qdbapi>
<udata>mydata</udata>
<ticket>auth_ticket</ticket>
<apptoken>app_token</apptoken>
<field fid="8">value 1</field>
<field fid="9">value 2</field>
<field fid="10">value 3</field>
</qdbapi>

Here's the equivalent action replacing the ticket with a user token (note that the apptoken is not necessary):

<qdbapi>
<udata>mydata</udata>
<usertoken>user_token</usertoken>
<field fid="8">value 1</field>
<field fid="9">value 2</field>
<field fid="10">value 3</field>
</qdbapi>

Here’s example URL syntax including a user token:

https://target_domain/db/target_dbid?a=API_EditRecord
&rid=154&_fnm_second_year=1776&_fid_8=changed&update_id=992017018414
&ticket=auth_ticket&usertoken=user_token

When to use a user token vs. an app token

User tokens are a form of authentication, whereas app tokens provide permission to access an app in addition to authentication information (either as a ticket or username/password). App tokens ensure that an API call was sent by someone permitted to make API calls against an app, while the ticket ensures it is executed by someone with permissions in the app.

Since user tokens explicitly grant API access to a specific user, they combine both purposes in the same token. If you use a user token, you don't need to use an app token.

Note: It is not secure to use user tokens in APIs that are called from a browser (for example, on an app dashboard), because someone could extract the token from the JavaScript source and use it to impersonate the user whose token it is.

Create and assign a user token

You can create a user token and assign it to an app at the same time. The token is also available to assign to other apps.

To create a new user token:
  1. On the user drop-down on the global bar, choose My preferences.

  2. Under My User Information, click the link for Manage my user tokens for realm ...

  3. Click the New user token button.

  4. Click OK.

  5. In the Basics section, enter a Name and a Description for your token.

    Create a new user token

  6. In the Assign token to apps section, click the drop-down arrows to select which apps you want to assign this token to. You can assign a token to as many as 20 apps.

    assign tokens

  7. Click Save.

  8. The new token appears in the list of user tokens. API calls containing this token can now interact with the application. The new token is also available for assignment to other applications.

    token list

    For more details about managing user tokens, click here.

 

Go back

Did this help you? Give us a rating:

           

© 1999-2019  QuickBase, Inc.  All rights reserved.  Legal Notices.