API tokens

Until release 3.7.0, the only available means of authenticating the API calls from outside either used username and password (to be able to login), or short-lived UI tokens generated by API sent as JWT along the requests. There is also a refresh token that is used to renew the short-lived UI tokens.

The information about the user, along with user’s permissions, are encoded in the token itself, so once the UI token is issued, it cannot be revoked (that’s why the tokens are typically short-lived).

Starting 3.7.0 the API tokens (long-lived) will be introduced, that are a better fit for authenticating API calls originating from systems. They are a bit slower than UI tokens (as the token is verified in DB with each API call), but they can be revoked easily.

To make use of the API tokens, you can generate the in UI.

Please note that the token string is visible / editable only when you create the token, you will not see it or be able to modify it later on. For this reason please make sure you copy the token string when creating the API token in the UI.

To use the token, send it in X-API-Token HTTP header along the request.

$ curl -v -H "X-Api-Token: ${YOUR_TOKEN}" http://${API_HOST_PORT}/v1/api-tokens | jq