Server to Server Authentication

support
raspberrypi3

#1

The Data API Service documentation describes the route /whoami, which generates a Refresh Token that can be used to authenticate service calls and expires in seven days. This authentication pattern seems to be a subset of the OAuth protocol, which usually entails the authentication of a client with a server; the similarities are present, as I can only access the initial token by providing my username and password.

This style of authentication introduces an interesting pattern for server-to-server authentication. After accessing my initial API token, I can generate a refresh token which I can store with a timestamp to indicate when to refresh it. It requires a bit of work to consume this pattern, whereas I may be able to reuse an existing authentication pattern with less effort. For example, standard libraries exist to handle HMAC authentication and are built with server to server authentication in mind.

Does Resin provide a standard method of server to server authentication, such as HMAC authentication?


#2

Hi @dagrooms52,
We are currently developing named api keys, which can be managed in the dashboard and can be used as authentication tokens. These tokens will not expire after a certain time, but can be revoked manually from the dashboard. Is this mechanisms something you had in mind?


#3

Yes, that sounds great to me! When can I expect this functionality to be released?


#4

Hi @dagrooms52 we expect it to be fully released in the coming weeks.


#5

Oooh, I was just about to share a simple device monitoring container, but if named API keys are coming, then I’ll wait until that’s available.


#6

Hi @flesler, I was just wondering if you had an updated estimate on when named api keys might be released. Thanks


#8

Our team would also like to use non-expiring API keys, since our Resin calls are server-to-server and we would like to avoid adding logic to refresh the token. Are there any updates on adding this feature?


#9

Hi,
At the moment you can generate a named user API key with a direct API call:

curl -X POST "https://api.resin.io/api-key/user/full" \
    -H "Authorization: Bearer <yourbearertoken>" \
    -H "Content-Type: application/json" \
    --data-binary '{"name":"testapikey"}'

This will return a user api key which can be used to authenticate with the resin-sdk (v8) and execute requests:

var ResinSdk = require('resin-sdk');
var sdk = ResinSdk();
sdk.auth.loginWithToken(returnedapikey).then(function() {
	return sdk.models.application.getAll();
}).then(function(apps) {
	console.log(apps);
});

or be used as a bearer token in any other API request:

curl -X get "https://api.resin.io/v3/device" \
    -H "Authorization: Bearer <returnedapikey>"

PS: a respective sdk method to generate api keys is planned for one of the upcoming sdk releases.


#10

@thgreasi Great, I’m going to give this a try. Just to confirm, this API key does not expire?


#11

Yes @aric-mira , the named user api keys generated by that endpoint should not expire.
Let us know how this worked for your use case.


#12

Perfect, yes the generated API key worked as expected for my use case. Thanks for your help!


#13

Hi,

We are happy to let you know that you can now create API keys that do not expire from the Dashboard.

These API keys are named tokens that can be created / revoked as needed, and they can be used for authentication in the resin.io API, CLI, and SDKs (Node.js Python)

For more information you can check the relevant section in our documents: https://docs.resin.io/learn/manage/account/#api-keys

Thanks!

Kostas