App token as a variable

  • 0
  • 1
  • Question
  • Updated 2 months ago
  • Answered
Need to use an app token for several buttons that edit records.
I was thinking of saving the app token as a variable, or as a formula text field. Then I can insert same code into each formula rich text button I have e.g . &apptoken=[MyAppToken] 

Then if I change the token etc, all buttons will work on changing a single token variable. Does that lead to any security risks?
Photo of Gary Boyd

Gary Boyd

  • 800 Points 500 badge 2x thumb

Posted 2 months ago

  • 0
  • 1
Photo of John Rogers

John Rogers

  • 340 Points 250 badge 2x thumb
I am not 100% sure it will work.

BUT, go to the main settings of your APP, click on variables. Name it whatever you want, and post the token there. These are global variables usable throughout the entire APP. 

I have never implemented this myself, so good luck.

Edit: I do believe the variable is called just like a normal field.

So if you name it globalToken

you do something like:

 IF ( [globalToken] )
(Edited)
Photo of Gary Boyd

Gary Boyd

  • 800 Points 500 badge 2x thumb
Thanks.
I can't see any security issues compared to placing the token in the buttons directly.
But others may know better...
Photo of QuickBaseCoach App Dev./Training

QuickBaseCoach App Dev./Training, Champion

  • 51,456 Points 50k badge 2x thumb
My only comment is that it’s unlikely that you will change the app token in the future. But sure, it will work fine.

Application Variables are not well known so another comment is if someone else takes over support for the app they may be confused about that “field” in your formula.
Photo of Gary Boyd

Gary Boyd

  • 800 Points 500 badge 2x thumb
Thanks.
From a security risks stand point, I would make sure the formula field on each table that is derived from the app global variable cannot be used on any reports, nor searcheable.
Photo of Ⲇanom the ultimate (Dan Diebolt)

Ⲇanom the ultimate (Dan Diebolt), Champion

  • 26,572 Points 20k badge 2x thumb
>Does that lead to any security risks?

Application token are "bearer tokens" meaning that anyone who knows the token can use it to access resources without further security permissions. Generally bearer tokens are not used client side as they can be read by anyone without further permissions. 
Dan is right. To add to his comment, because apptokens and usertokens are used with API Calls, which can be extremely powerful, exposing tokens has to be dealt with caution. Normally, you would need the App tokens AND a ticket or usertoken to make these API calls. However, if the application is open to everyone on the internet and that role has read permissions or add permissions on a given table, just the app token is enough to be able to read and add to that table.
Photo of Gary Boyd

Gary Boyd

  • 800 Points 500 badge 2x thumb
Using the app token as a variable works fine. 
Thanks for the replies. App is not open to anyone on the internet. 
My understanding is that from a security perspective, if you use a variable, it still seems the same, as if the actual app token was entered directly into each button formula, and the app tokens themselves cannot be hidden ( https://community.quickbase.com/quickbase/topics/hide-apptoken-on-formula-rich-text-button-using-a-a... ).

I was thinking this could be an easy way for an admin user, to change the app token, on all buttons if required, rather than having to go through each button.


(Edited)