Question on Tokens

chipmc · December 2, 2020, 3:57pm

I know this is basic but I am looking for clarity on Tokens. I have read this document but it still leave me wanting:

I am setting up a new organization with a new app under my account. My devices send data to Ubidots using a Particle webhook so I want to create tokens that can be associated with a Particle product (think of 10s to 100s of devices). I don’t think I can have a device API token though as the token is stored in the Particle webhook not in the device’s firmware.

If that makes sense, then Is this is best approach?

Create an account token for each Particle product and put this into the Particle Webhook
Create API Tokens for each organization in case we want to query the data in that organization and its resources.

Is there a better / more secure approach? If a token gets compromised, it seems I could generate a new token from my Ubidots Account, delete the compromised one and then update it on the Particle portal without having to change any of the device’s firmware.

Thanks,

Chip

dsr · December 4, 2020, 6:37pm

Hi @chipmc,

All you’ve mentioned is correct, but let me provide additional clarification:

Yes, that’s the best approach in terms of management and security since only you have access to the Particle’s webhooks configuration and Ubidots account.

Also, correct. This will limit the access of the token to only the organization’s resources, and not only that, based on the API organizational role said token is under, it will only be allowed to perform some operation over the resources. For example, you could set the API organizational role to read-only.

Last but not least, you’re also right about the ability to replace tokens should they be somehow compromised, without affecting the device’s firmware.

All the best Chip and let us know if we can be of any additional clarification.

–David