—> Device1, Device2, Device3
—> User1, User2
—> Device4, Device5, Device6
—> User3, User4
So all 4 users have been created using the main Admin Root account. All 4 users are “end users”, so they only have viewing options to the dashboards and devices within that organization.
The dashboard contains a widget like the one in the example here:
When they go to their dashboard that uses the custom Canvas Widget, what TOKEN is used and should be used in the widget?
How is this TOKEN in the example hidden from the users? Seems like it’s in plain sight in their browser if they look at the page source or use JS debugging tools? Or is it ok if the user gets the TOKEN?
For security, should the widget use the Ubidots API and the Admin API Key to request a new token every time it makes a request to Ubidots? How is the API key hidden from the users?
Should the dashboard in each organization use different TOKENS or Organizational TOKENS? That seems like a very manual setup process to create in each dashboard though.
When using Particle Webhooks to send data to variables, what TOKEN should be used? And should multiple different TOKENS be used? Or can one TOKEN be used for ALL devices to use?
I’m just trying to get a grasp on the API keys, TOKENs, Organizational TOKENS and users and how and when they all need to be implemented for best security.