What is an API Token?
API tokens are token strings that can be issued by each App in Kintone. Kintone APIs can be used by placing this API token in the request header of the REST API. There are various advantages of using this authentication for REST API.
Advantage 1: User ID and passwords are not required
When using APIs with User IDs and passwords, a system needs to save the User ID and password to the system. This makes it harder for the password to be changed, and there is also a risk of the user credentials being leaked from that system. Using REST APIs with API tokens reduces this risk.
Advantage 2: It is possible to limit the Apps to call REST APIs to
API tokens are created on each App and the token can only call the REST API on the App it was created on. This prevents the risk of accidentally using the API on the wrong App.
Advantage 3: Types of REST APIs can be limited
It is also possible to limit the type of REST API to be called using the API token. For example, the API token can be set up so that "The Get Record API can be called, but the Update Record API cannot be called". This prevents problems of accidentally executing unintentional API calls. Even if the API token were to be leaked, it keeps the risk to the minimum.
Creating API Tokens
Here is an example of how to create an API token and run an API to obtain records from an App.
First, access the App to create the API tokens for and click on the cog wheel. If there is no cog wheel, the current user account does not have Administrator permissions for the App. In this case, either log in with an account that has Kintone Administration settings, or work on an App that the current user account has created before (the creator of an App should have Administrator permissions for the App by default).
Proceed to click on the App Settings tab, and on API Token.
The API Token page lets API tokens be created for this specific Kintone App.
By clicking on the Generate button, an API token will be generated and several check-boxes will appear under the Permissions section. The permissions of this API token can be changed by checking these boxes on and off. By default, the View Record permission is checked.
For now, keep the settings as they are and click the Save button. Proceed to update the App by clicking the Update App button.
*The App must be updated to use the API token. Just generating the API token will not be enough - do not forget to save and update the App after generating the API token.
Running REST API using an API Token
Try out the API token by running the REST API on a curl command, like the following.
After running the command, the information of the records in the App should be displayed (Subdomains using Basic Authentication will need to configure additional settings).
Each App in the Kintone environment can generate API Tokens. By using API tokens, it is possible to run REST API securely without needing to use any user credentials.