Application Tokens
Advanced programmers have the ability to create web pages and other systems that interact with Quickbase. This detailed coding is possible through the Quickbase HTTP API. If you plan to make API calls to your app, you'll want to use either user tokens or application tokens.
An application token is an extra string of characters you insert within an API call if the call is using a ticket or username/password for authentication. That string must match one of the application tokens assigned to the app your API call targets. You control whether or not your appw requires tokens.
Note: If the API call passes a user token for authentication, an application token is unnecessary.
User tokens vs. application tokens
User tokens and application tokens both help secure your apps. So, when should you use a user token vs. an application token?
User tokens are a form of authentication, whereas app tokens provide permission to access an app in addition to authentication information (either as a ticket or username/password). Application tokens ensure that an API call was sent by someone permitted to make API calls against an app, while the ticket ensures it is executed by someone with permissions in the app.
Since user tokens explicitly grant API access to a specific user, they combine both purposes in the same token. So, if you use a user token, you don't need to use an application token. In fact, if you use a user token as your authentication method, Quickbase doesn’t even check for the application token. However, note that it’s not secure to use user tokens in APIs that are called from a browser (for example, on an app dashboard) because someone could extract the token from the JavaScript source and use it to impersonate the user whose token it is. In general, you should treat user tokens with the same care as you do usernames and passwords.
Using application tokens
Application tokens are optional and provide an added layer of security to protect your app. Application tokens prevent unauthorized persons from creating API calls to your app. You can require application tokens for all your applications. Most API calls require a valid application token.
If you later decide you don't want to use app tokens and your appn does not contain sensitive data, you can disable tokens for that app. If you do so, API calls will work, even if they specify an application token. But Quickbase recommends using app tokens unless you authenticate using a user token.
Note: A developer can request from 1 to 500 application tokens. As a best practice, developers obtain one application token and use it for all of their app.
Disabling application tokens
If you want to use exact forms, disable application tokens. If you're having trouble incorporating a Quickbase add-on or wizard that uses application tokens, you can disable them. Likewise, if your app features formula URL fields that include API calls, you can save yourself the trouble of updating those calls with application tokens by disabling application tokens. But disabling application tokens is a workaround solution and means that you'll lose the additional level of security that app tokens provide. In these cases, you can authenticate with a user token to protect your app against malicious access.
Generating a token is a one or two-step process, depending upon whether the token exists already:
-
If no token exists, you must create it and assign it to your app.
-
If you have a token that already exists because it belongs to a Quickbase add-on feature that uses API calls (like the Forms Wizard) or you created the token before, copy or note the token and skip ahead to this topic's section: Assign an existing token to an app.
Accessing the Manage Application Tokens page
From the Manage Application Tokens page, you can view application tokens for this app, create new tokens, and assign existing tokens to this app.
To access the Manage Application Tokens page, or view application tokens:
-
In the App bar, select the app you want, click Settings, then click App properties.
-
Click Advanced settings to expand the section, if needed.
-
Under Application Tokens, click the Manage Application Token link.
Creating and assigning an application token
You can create a token and assign it to an application at the same time. When you do so, the token will be available for assignment to other applications too.
Note: You can also use the createapptoken parameter with API_CreateDatabase call.
To create a new application token:
-
Click Create New Application Token.
-
Type in a description to remind you what the token does.
-
If you want Quickbase to copy this token when you copy the app, select Ok to Copy.
-
Click OK.
The new token appears in the list of application tokens. API calls containing this token can now interact with the app. The new token is available for assignment to other apps.
Assigning an existing token to an app
If the token you want to assign already exists, assign it to the app with which you want API calls to work.
To assign an existing token to the current app:
-
Click Assign Existing Application Token.
-
Paste or type in the application token.
Alternatively, you can choose an existing token: click Choose Existing Token, and choose a token.
-
Type in a description to remind you what the token does.
-
Select the OK to Copy checkbox to copy this token when you copy the app.
-
Click OK. API calls containing this token can now interact with the app.
Sample URL featuring an API call with token
Insert the token as you'd insert any parameter in a URL string:
&apptoken=token
Replace token with the actual token itself, as in this example:
https://myaccount.quickbase.com/db/bdz6zm7uy?a=api_clonedatabase&newdbname=MyTestApp&newdbdesc=Testing&keepData=1&apptoken=bghbnjfu7s9amn7akduwomaytzy
For more details about coding API calls, see Quickbase HTTP API documentation.
