Using API Token authentication

What is an "API Token"?

API tokens are token strings that can be issued by each app in kintone. kintone APIs can be used by placing this on the request header of the REST API. There are various advantages of using this authentication for REST API.

Advantage 1: User ID and passwords are not required

When using APIs with User IDs and passwords, a system needs to save the User ID and password to the system. This makes it harder for the password to be changed, and there is also a risk of the user credentials being leaked from that system. Using REST APIs with API tokens reduces this risk.

Advantage 2: You can limit the apps to call REST APIs to

API tokens are created on each app and the token can only call the REST API on the app it was created on. This prevents the risk of accidentally using the API on the wrong app.

Advantage 3: Types of REST APIs can be limited

You can limit the type of REST API to be called using the API token. For example, you can set up the API token so that "The Get Record API can be called, but the Update Record API cannot be called". This prevents problems of accidentally executing unintentional API calls. Even if the API token were to be leaked, it keeps the risk to the minimum.

Creating API Tokens

Here, we will show an example of how to create an API token and run an API to obtain records from an App.

First, access the App that you would like to create API tokens for and click on the cog wheel. If you do not see a cog wheel, that's because you have no Administrator permissions for the App. In this case, either log in with an account that has Kintone Administration settings, or work on an App that your account has created before (if you have created an App, you should have Administrator permission for the App).

Proceed to click on the "App Settings" tab, and on "API Token".


apitoken.gif

The "API Token" page lets you create API tokens for this specific kintone App.



If you click the "Generate" button, an API token will be generated and several check-boxes will appear under the "Permissions" section. You can limit the permission of this API token by checking these boxes on and off. By default, the "View Record" permission is checked so you can only use API to retrieve records with this token.


For now, keep the settings as they are and click the "Save" button. Proceed to update the App by clicking the "Update App" button.
*You must update the app to use the API token. Just generating the API token will not be enough - do not forget to save and update your App after generating the API token.

Running REST API using an API Token

Try out the API token by running the REST API on a curl command, like the following.

If you run the command, the information of your records in the app should be displayed (If you have set the Basic authorization option, you must configure additional settings so please refer to the curl's man page).

Summary

Each app in your kintone environment can generate API Tokens. By using API tokens, you can run REST API securely without needing to use your user credentials.
API tokens are used for REST APIs - you do not need to use it in conjunction with the JavaScript API.

Was this article helpful?
0 out of 0 found this helpful
Comments
  • Avatar
    Nim

    If I am using the API token to view/add/edit/delete records in an app, will that app's JS customization run too (for instance, any event logic I built in)?

  • Avatar
    William Sayama

    Hi Nim
    No, the App's JS file will only run on browser based events, and cannot be initiated by external calls.

Please sign in to leave a comment.