-
Notifications
You must be signed in to change notification settings - Fork 24
Issuing temporary access tokens
You can create a temporary token for basic authentication associated with a specific user. A great use-case for this function is the creation of temporary authentication tokens by a trusted resource, such as an LMS that is used to launch activities that communicate directly with lxHive.
Here is an example workflow that we had in mind.
The access token endpoint is available at /auth/tokens
.
Every CRUD verb is supported (however, PUT currently acts the same as a POST). All requests must be authenticated via an existing token (using either Basic authentication or OAuth) which has super
privileges.
The full JSON body (when providing all parameters) for the POST request should looks like this.
{
"user": {
"email": "john@example.com",
"password": "test",
"permissions": [
"statements/read",
...
]
},
"name": "Test",
"description": "A test token.",
"expiresAt": "2015-05-05T12:00:00Z",
"scopes": [
"statements/read",
...
]
}
The only strictly required parameter is user.email
. A new user will be created if the user doesn't exist.
Please note: if you omit the user.password
parameter then the user will not be able to login via OAuth.
The permission array matches the one described in the xAPI spec, with some additional permissions:
-
super
: enables administration -
attachments
: enables uploading attachments
expiresAt
should be an ISO8601 conformant string OR a unix timestamp.
The default expiry time is 3600 seconds (1 hour) (#222). The default user permission (when creating a new user) is all
, enabling access to all xAPI endpoints.
{
"key": "aps8ULsOYw63pv5Yl7RNhwlsaqIGbshydyj3xd5Y",
"secret": "wz3zoXsY0HdiZecVdSbLqnxBapYcEIehuqtgDfhT",
"expiresAt": 123123123123,
"expiresIn": 121683831139,
"createdAt": 1439291984,
"expired": false,
"scopes": [
{
"name": "all",
"description": "Full access"
}
],
"user": {
"email": "jakob@qy.si",
"permissions": [
{
"name": "all",
"description": "Full access"
}
]
}
}
You delete a basic access token by making a DELETE request with the query parameters key
and secret
, containing the respective properties of the token you want to delete. A 204 No Content is then returned.
You can fetch an access token with a GET request by providing the query parameters key
and secret
. The format of the response matches the one given to a POST request (useful for checking if your key has expired yet).