Expand all | Collapse all

Application Token Not Working?

  • 1.  Application Token Not Working?

    Posted 11-27-2019 15:48
    Hey guys!

    My app has the "Require Application Tokens" field checked to true, however, I do not need an app token to use the QB API and pull data from it.
    I would really like to create a more secure environment here and block users from viewing all of the data in certain tables, but I still want to give them read access to those tables so that the app can continue to function for them, only pulling in the data that they need from those hidden tables. 
    The only issue is that users could still get access to this hidden, and valuable, information using the QB API, and despite my attempts, I can't seem to block the API from pulling information from the hidden table. The app token doesn't seem to function here.
    I am using a User Token to make the request. Is there something special about having a user token that makes me not need an app token? If that is the case, how do I block people from using the API on tables they should not be able to see?

    - Sterling Long!

  • 2.  RE: Application Token Not Working?

    Posted 11-27-2019 15:52
    I'm a goof, I just read this:

    • Authenticating with a user token: If you authenticate yourself to Quick Base with a user token, no application token is needed, even if one is assigned to the app you're accessing. The user token can be assigned to one or more apps, and provides built-in security that ticket authentication does not. However, user tokens are not allowed for all API calls.

    My question then is how do I stop my users from just making a User Token and getting access to the information I don't want them to have?

    Normally, I would use roles. But I was steered away from doing that by a few QuickBase gurus. So I thought of hiding the table and blocking API access. But apparently that won't work either.
    What other options do I have?

    Sterling Long

  • 3.  RE: Application Token Not Working?

    Posted 11-28-2019 13:38
    Role security is what you should be using.  That is exactly how you control which records and fields a User has access to. 

    A User Token just is a secret code which when used in a API has the same permissions as the real User.  So if a user creates a User Token and uses an API, then they still have the same access that they always did.

    Mark Shnier (YQC)
    Quick Base Solution Provider
    Your Quick Base Coach