I generate the access token for my account from the account security tab . Is there any way to get the access token via API call ??
No such a API, the PAT will be displayed once you create it and this is the ONLY time the PAT will be displayed.
Make sure you copy the token now. We don't store it and you won't be
able to see it again.
You will need to copy it and store it somewhere safe, so that you can retrieve it as needed.
You can Revoke The PAT and create a new one, then replace with the new PAT
Related
I want to get the latest balances of accounts every time the user opens the page in our system. in order to do that, I need a public_token to request for access token and load accounts balance, but I couldn't find how to generate a public token without Link initialization. is there a way?
No, this is not possible except in the Sandbox test environment. Note that once you have an access token, you can save and re-use it for future calls.
I am using gapi.auth2.authorize to authorize people in my Google Photos API app but I cannont find a why to unauthorize or disconnect them from the app. What I have noticed though is that there is no way of using an old access token so that the user doesn't need to authorize.
How can I make the access token invalid?
Is it correct that every time the API is used the user has to authorize?
Thanks
How can I make the access token invalid?
Not possible to invalidate an access token, it will expire after 1h
You can check documenttation here
Is it correct that every time the API is used the user has to authorize?
Nope, you should ask users to authorize only once, using a refresh token that you can keep in your back-end, thus allowing your app to content on on users behalf all the time, until they revoke permissions
I'm developing a mobile app which will allow users to browse without signing up. I would like to have all my endpoints secured via token.
How would we go about allowing anonymous browsing? i.e. provide a token to anonymous users.
Not sure to understand your case, why do you need a token if your users aren't registered and your API opens to everyone?
The authentication system of Strapi has been built to only send token to registered users. However, the easiest way to make it work for you is to register every visitor coming in your app based on their IP or something unique as a username and set the same password for each one of them. Then, every time the user comes back, you can call the /auth/local URL to sign-in the user and get the token or use the token stored in the local storage.
I'm making use of the Yammer APIs and embed feed. I was wondering if it was possible to force a sign into Yammer using the user's access token (saved in some local storage). Is it possible to make the yam.getloginstatus() function return true with just the access token, instead of having the user login every time?
There is a setAuthToken() method available which can be used to inject a token. You can continue to authorize a user to your Yammer app and store the token, or use the more advanced approach with impersonation as laid out in the article that is linked. Make sure to create threat models for your application so you have a plan to protect user tokens.
I want to supply my users a Dropbox access token trough my Parse server.
For the one who don't know, Dropbox access token is a string that supplies direct access to a dropbox account files, it should be secret, because if anyone finds it he can delete all the files.
My server should store many access tokens and it should supply the user the correct token, but the problem is that because the anonymous log in i'm afraid that if someone will know the parse server key, he could get all the secret dropbox access tokens.
In first place i supply the access tokens in server for security reasons and not put it hard coded to protect it.
But what's the difference if i put the parse key hard coded?
Is there a way to handle this?
thanks.
Yes you are correct. If somebody knows your ApiKey he can query your parse server without any problem unless you use ACL
ACL is access control list which allows you to decide (on the application level) which users/roles can read or write to one or more parse objects or parse users. In runtime Parse will check if the logged in user has an access to read or write the object and only if it will have an access it will return the results to the client.
So i suggest you to protect your users/tokens with ACL's if you like to protect only the access tokens then i suggest you to create a separate class that will store the user access token and in this class you need to create an ACL for the relevant user only.
You can read more about ACL's in here:
iOS SDK
Android SDK
JavaScript SDK