Access Tokens | Webstrates

An access tokens allows users to temporarily grant permissions to other users to act on their behalf. An access token grants a user the same permissions to a webstrate as the user who generated the access token. Access tokens only grant access to the webstrate they were issued for.

Access tokens are immediately expired/revoked when the permissions of a webstrate changes or a document gets restored (as this may also change permissions). It is not otherwise possible to expire access tokens (other than by letting the access token expire). Making it possible to expire access tokens manually will be implemented on request.

An access token is generated by performing a POST request to the webstrate in question. The POST request must contain a token field. The value of the token field will be used as the token duration in seconds. If the value is not a positive integer, it defaults to 300 seconds.

This example code will create a token with a 300 second validity for the currently logged-in user when run in the developer tools console:

const response = await fetch(document.location.pathname, { method: "POST", body: new URLSearchParams("token=300") });
await response.json();

More generally, a token request response will look similar to:

{
  "webstrateId": "my-test-webstrate",
  "username": "kbadk",
  "provider": "github",
  "token": "Hyg57Qg7Z",
  "expiration": 1497540063
}

The expiration property contains the UNIX timestamp for the token’s expiration time. Once an access token reaches its expiration time, it will cease to be useable.

Access tokens cannot be generated from access token-based access (i.e. you cannot generate tokens using tokens).

To access a webstrate using an access token, put the token in the query string. For the above example:

/my-test-webstrate/?token=Hyg57Qg7Z

A list of all access tokens can be viewed by accessing /<webstrateId>/?tokens.