Skip to main content
MindTouch Success Center

Types of tokens

MindTouch uses different types of tokens for specific use cases and API integrations.

Token attributes

  • All tokens are scoped to and unique to a MindTouch site
  • Can be a single string value or multiple string values, such as key/secret pairs
  • Token string values can be up to 255 characters long

Supported tokens

  • Auth token - Represents an authenticated user identity on a MindTouch site
  • Browser API token - Allows browser integrations that call the MindTouch API to execute on trusted domain names
  • OpenID Connect token - Exchanged between a MindTouch site and an OpenID Connect identity provider
  • Server API token - Allows server applications to call the MindTouch API

Auth token

Auth tokens (often stylized as authtoken) are set as HTTP cookies in a user's web browser after authentication. MindTouch auth tokens are generated by a MindTouch site and are cryptographically signed to prevent tampering.

Browser API token

Browser API tokens are sent from a website, web application, or simply anything that runs in a web browser to the MindTouch API. 

Creating web browser integrations with the MindTouch API
Create integrations between the MindTouch API and websites, web applications, Google Chrome apps, or simply anything that runs in a web browser.
Pages: 5

OpenID Connect tokens

The OpenID Connect specification defines identity and access tokens for establishing trust and identity sharing during a Single Sign-On flow. These types of tokens are never provided directly to a user or application outside of the integration between a MindTouch site and an OpenID Connect identity provider.

Server API token

Server API tokens are a key and secret pair that sign requests from server applications, IoT devices, bots, or anything that can communicate over HTTPS to the MindTouch API.

Creating server integrations with the MindTouch API
Create integrations between the MindTouch API and server applications, IoT devices, bots, or anything that can communicate over HTTPS.
Pages: 5

Legacy tokens

  • Impersonation auth token - A legacy auth token format that was used in a deprecated custom Single Sign-On flow
  • Site API key - A legacy token that elevated MindTouch API access permissions

All legacy token integrations implement weak security practices and should be avoided.

Support for legacy tokens is limited. Site API keys were secret string values that were transferred to the MindTouch API as an HTTP header or query parameter. As a result there are several vectors to compromise the site API key, leading to abuse or breaches. Impersonation auth tokens were a token signature format, signed by the site API key, that allowed an integration to generate an auth token for which ever MindTouch user identity the integration required. 

  • Was this article helpful?