Please correct me if I have misunderstood your question. It sounds as though your token has custom permissions enabled exclusively for the Send State action. If you created this token with these permissions, they cannot be edited and thus will not be able to create new tokens.
So I have a customer that want to utilize the API for sending device states, but if allow them to also utilize the tokens post, they could theoretically request a token that would have permissions to everything in the application?
If that’s the case, what other options do I have, if any other than a “fixed” token?
Thank you for this. This was super helpful. Typically, this type of background helps us help you better:
But, what you’re describing here is impossible. For problems like this, you can build your own Experience API.
You can make an authenticated route for your customer to report state (/my-application/state).
What you’re describing here is something Losant can do, but you’d have to build this functionality into your experience. For example, all the things you’d like customers to do to your application, you can expose an Experience Endpoint for.
Instead of thinking of it as a “fixed” token, it’s a “fixed” endpoint. Then, you can control the and authentication logic of the input in an Experience Workflow.
So is I setup a fixed endpoint to be able to handle device send states and reqest new tokerns, I still need to setup a user that should authenticate against this endpoint. Getting ready to start setting this up so any further info would be very much appriciated.
Of course, here is more information that should help.
Your user in this case would be Experience Users:
They are authenticated in the following ways:
To retrieve this token, you can make a /login experience Endpoint. The “Post /login” workflow in the default experience is a great example of this. However, instead of returning content, you can return a JSON object with your token.