I have an application that currently posts data using POST https://api.losant.com/applications/ APPLICATION_ID /devices/ DEVICE_ID /state.
For this test I created a API token that only has “send state” permissions.
If I wanted to also allow for the application to aquire tokens on it’s own, could that be done through the “auth” endpoint?
If so, how can still just allow usage of the “send state”.
Hi Lars,
Please correct me if I have misunderstood your question. It sounds as though your token has custom permissions enabled exclusively for the Send State action. If you created this token with these permissions, they cannot be edited and thus will not be able to create new tokens.
Thanks,
Julia
Understood. So if I want to enable the “Send state” action and what makes it possible to create new tokens, which action do I need to enable in that custom permissions?
Hi @Lars_Andersson,
Here is the API you’re looking for:
You can find out all the things you can “scope” here:
https://docs.losant.com/rest-api/schemas/#application-api-token-post
Here is an example:
curl -H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer YOUR_API_ACCESS_TOKEN' \
-X POST \
-d '{"name":"My New API Token","expirationDate":"2017-06-13T04:00:00.000Z","scope":["all.Application"],"status":"active"}' \
https://api.losant.com/applications/APPLICATION_ID/tokens
The scope to limit state would be device.sendState.
And that should be just what you need 
Oh, and just add, above is a curl example. This can also be done with the Losant API Node:
So if the initial token has permissions for “Send state” and “Application API tokens - Post”,
any new tokens requested will have the same permissions?
Each token is independent and contains its own permissions that are set during creation.
So I have a customer that want to utilize the API for sending device states, but if allow them to also utilize the tokens post, they could theoretically request a token that would have permissions to everything in the application?
If that’s the case, what other options do I have, if any other than a “fixed” token?
Thank you for this. This was super helpful. Typically, this type of background helps us help you better:
But, what you’re describing here is impossible. For problems like this, you can build your own Experience API.
You can make an authenticated route for your customer to report state (/my-application/state).
What you’re describing here is something Losant can do, but you’d have to build this functionality into your experience. For example, all the things you’d like customers to do to your application, you can expose an Experience Endpoint for.
Instead of thinking of it as a “fixed” token, it’s a “fixed” endpoint. Then, you can control the and authentication logic of the input in an Experience Workflow.
Thanks for that explanation.
Any good examples for doing what I describe?
So is I setup a fixed endpoint to be able to handle device send states and reqest new tokerns, I still need to setup a user that should authenticate against this endpoint. Getting ready to start setting this up so any further info would be very much appriciated.
Of course, here is more information that should help.
Your user in this case would be Experience Users:
They are authenticated in the following ways:
To retrieve this token, you can make a /login experience Endpoint. The “Post /login” workflow in the default experience is a great example of this. However, instead of returning content, you can return a JSON object with your token.
To test everything, I recommend POSTMAN:
Thanks.
Will a token generated via an experience workflow show up in the application API token list too?
Application API tokens are not the same as Experience User Tokens.
API Tokens provide authentication and authorization for service-to-service access to the Losant API.
Experience Tokens provide authentication and authorization for your Experience Endpoints. Experience Tokens can not be used to access the Losant API directly.