Vocabulary - Authentication

AccessToken

See Token.

Private AccessToken

See Token.

Public AccessToken

See Token.

SessionToken

See Token.

Token

Tokens are keys used to access resources provided by our API.

All tokens start with the Token ID. The TokenID begins with AT or ST denoting AccessToken or SessionToken, followed by the Amazon Region in which it was issued, followed by a string of random characters. The Token ID identifies the token in question and can be used to statistics and similar.

Most tokens also contain a Token Secret which is another group of random characters appended to the Token ID with a period to form the complete token.

The tokens are divided into two groups: SessionTokens and AccessTokens.

Session Tokens

Used by clients, often a user in a web browser to access our Catalogue API to retrieve catalogue data. They have a limited lifetime, and you are expected to handle the issuing of these to your end users.

Access Tokens

Used for authenticating your company and issue SessionTokens. Access tokens are either private or public and it is very important to understand the difference between them.

Private Access Tokens

Used by your backend server to issue new SessionTokens from our Catalogue Auth API.

Treat you Private Access Tokens (containing the Token Secret) like you would treat important passwords. Only use them inside your backend server and never use, expose, or send them to the client side!

Public Access Tokens

Used on the client side to issue new SessionTokens from our Catalogue API.

Easier to use compared to Private AccessTokens but also less secure. Since you are allowed to use these to the client side, it is possible for third parties to gain access to them. To make the usage of these tokens more secure it is possible to specify which domains are allowed to use a token. This is not totally secure, but it makes misuse of Public AccessTokens by third parties more difficult.

Token ID

See Token.

Token Secret

See Token.