- Applies to:
- All MindTouch Versions
- All tokens are scoped to and unique to a MindTouch site
- Can be a single string value or multiple string values, such as key/secret pairs
- Token string values can be up to 255 characters long
- Auth Token - Represents an authenticated user identity on a MindTouch site
- Browser API Token - Allows browser integrations that call the MindTouch API to execute on trusted domain names
- Server API Token - Allows server applications to call the MindTouch API
Auth Tokens (often stylized as authtoken) are set as HTTP cookies in a user's web browser after authentication. MindTouch Auth Tokens are generated by a MindTouch site and are cryptographically signed to prevent tampering.
Browser API Token
A Browser API Token has no specific user permissions for the API to determine which operations are or aren't allowed. User permissions are determined by the web browser session's authtoken HTTP cookie. If the user accessing the integration has not signed in to the MindTouch site, then the API considers the user to be an anonymous user
- Authorizing web browser integrations with the MindTouch API
- Authorize integrations between the MindTouch API and websites, web applications, Google Chrome apps, or simply anything that runs in a web browser.
- Pages: 2
Server API Token
- Authorizing server integrations with the MindTouch API
- Authorize integrations between the MindTouch API and server applications, IoT devices, bots, or anything that can communicate over HTTPS.
- Pages: 2
OAuth API Token
While Server API Tokens provide a developer with the ability to connect applications and devices to the MindTouch API with unlimited permissions, under some scenarios this level of access control is inappropriate for a developer. Examples include integrations between the MindTouch API and a third-party service, on behalf of the organization deploying MindTouch. By implementing OAuth 2.0 authorization flows, OAuth API Tokens allow MindTouch users to authorize which applications or devices can access their MindTouch user identities and allowed operations such as reading and writing content. OAuth API Tokens can be safely given to third-party developers, without the concern of handing over MindTouch site administrator access.
- Authorizing OAuth 2.0 integrations with the MindTouch API
- Integrate MindTouch users with server applications, IoT devices, bots, or anything that can communicate over HTTPS using an industry-standard authorization framework .
- Pages: 2
- Impersonation Auth Token - A legacy token that was used in a deprecated custom Single Sign-On flow
- Site API Key - A legacy token that elevated MindTouch API access permissions
All legacy token integrations implement weak security practices and should be avoided.
Support for legacy tokens is limited. Site API Keys were secret string values that were transferred to the MindTouch API as an HTTP header or query parameter. As a result, there are several vectors to compromise the Site API Key, leading to abuse or breaches. Impersonation Auth Tokens were a token signature format, signed by the Site API Key, that allowed an integration to generate an Auth Token for which ever MindTouch user identity the integration required.