RESTful API temp user tokens
I have a couple of authorization questions about the REST API. More specific to start with - the documentation mentions that I can get "a temporary authorization token, scoped to either an app or a table". My assumption was that this meant one of
a) an application token valid for operations on the app itself or any of the tables within the app
b) a table-specific token valid for operations only on that particular table
However, (a) doesn't actually seem to work that way; when I use the app DBID in the call for a temporary token, that token does not work to authorize, for example, querying data from tables within that app. Using a token retrieved for the specific table DBID works. Is an app-level temp token really not meant to grant access to the app's tables?
The second question would be - is there any way to make use of the user's browser authentication with the REST API instead of explicitly providing tokens, the way the XML API can? If not, this means that the UI I'm working on would have to not only generate and manage separate tokens for each of the over a dozen tables that it's working with, but to ensure that they all keep getting refreshed within the 5-minute temp token expiration interval. Alternately, I suppose I could just fetch a new temp token for every API call I'm making, which would slow everything down.
The combination of the above auth issues is about enough to make me run screaming back to the XML API, which would be a shame; the new API looks more manageable in most other ways. I'd appreciate any advice (or pointers to more detailed documentation) that you can give me.
a) an application token valid for operations on the app itself or any of the tables within the app
b) a table-specific token valid for operations only on that particular table
However, (a) doesn't actually seem to work that way; when I use the app DBID in the call for a temporary token, that token does not work to authorize, for example, querying data from tables within that app. Using a token retrieved for the specific table DBID works. Is an app-level temp token really not meant to grant access to the app's tables?
The second question would be - is there any way to make use of the user's browser authentication with the REST API instead of explicitly providing tokens, the way the XML API can? If not, this means that the UI I'm working on would have to not only generate and manage separate tokens for each of the over a dozen tables that it's working with, but to ensure that they all keep getting refreshed within the 5-minute temp token expiration interval. Alternately, I suppose I could just fetch a new temp token for every API call I'm making, which would slow everything down.
The combination of the above auth issues is about enough to make me run screaming back to the XML API, which would be a shame; the new API looks more manageable in most other ways. I'd appreciate any advice (or pointers to more detailed documentation) that you can give me.
