Authorization to any resource in these APIs is performed using an OAuth 2.0 Access Token.

As far as a client is concerned, the Access Token is an opaque blob of data that needs to be generated and interpreted by the other entities (an authorization server and a resource server).

The token is "zlib" zipped and base64-encoded, and the unencoded token has two halves: (1) a JSON part, and (2) a base64-encoded signature. The halves are delimited by the last occurrence of the string \n==SIGNATURE==\n (where "\n" is a new-line character).

For example (All of the following must be zipped and then base64 encoded for this to be valid)

{
  "user_id": "8d7(W=",
  "group_ids": ["8R", "2"]
  "scope": "user user:all admin"
  "expires_at": "(date/time)"
}
==SIGNATURE==
base64-encoded signature created using a private key

The JSON part of the unencoded Access Token has the following properties:

  • user_id - (required, object)
  • group_ids - (optional, array) A breadth-first list of all group ids the user is a member of. The most specific listed first and the most general last (the top of the tree is last).
  • scope - (required, string)
  • expires_at - (required, timestamp)

Running echo &39;base-64-encoded-token&39; | base64 -d | openssl zlib -d will show the unencoded token (but doesn&39;t verify the signature).

The Authorization Scope defines which resources the Access Token grants to a client. For example, an Access Token with "scope": "cats dogs" would allow access to "cats" and "dogs" but not "elephants". Note that the authorization server may provide a token with fewer scopes than were requested.

Scope Description
self Allows access to "GET /self" on the authorization server and nothing else
user:all Allows access to all of the authenticated user&39;s resources on the authorization server and any other server that accepts it (Files servers, for example). This includes Group Membership Resources and the list of Nodes that the user may access. A separate "node.{AK}:all" scope is needed to access resources on individual nodes.
admin:all Allows access to more security-restrictive areas. The Access Tokens given with this scope will have shorter expirations and require re-authenticating more frequently.
node.{ak}:user:all Allows access to files/folders/permissions/etc. Note that "{AK}" must be replaced with the Access Key ID. For example, an Access Token with scope "node.AK1:user:all" will give access to the Node API server identified by Access Key "AK1".
node.{ak}:admin:all Allows administration of the Access Key itself and its Storage. Note that "{AK}" must be replaced with the Access Key ID. For example, an Access Token with scope "node.AK1:admin:all" will give access to the Node API server identified by Access Key "AK1".
Video player

Video

×

Reset your Password Password resets are handled on the Support Site

×