/
Token operations in the Credentials API
Document toolboxDocument toolbox

Token operations in the Credentials API

Owned by Alvaro de la Serna Martinez
Last updated: Feb 27, 2025 by Laszlo Frazer
[ 1 Example ] [ 2 Endpoints and methods ]

Example

This bash script will generate tokens for different APIs.

#!/bin/bash token="your 32 character hexadecimal token" base_url="https://api-your_region.devo.com" domain="your_devo_domain" user="user@example.com" curl -i -H "Authorization: Bearer $token" -H 'Content-Type: application/json' -X POST "$base_url/ws/accounts/$domain/credentials/tokens" --data ' { "name": "Aggregation task token created by API", "user": "'"$user"'", "audience": "aggregations", "scopes": "table://my.app.test.tokenapi level://admin" }' curl -i -H "Authorization: Bearer $token" -H 'Content-Type: application/json' -X POST "$base_url/ws/accounts/$domain/credentials/tokens" --data ' { "name": "Query token created by API", "user": "'"$user"'", "audience": "apiv2", "scopes": "table://my.app.test.tokenapi level://admin" }' curl -i -H "Authorization: Bearer $token" -H 'Content-Type: application/json' -X POST "$base_url/ws/accounts/$domain/credentials/tokens" --data ' { "name": "Query job management token created by API", "user": "'"$user"'", "audience": "apiv2-admin", "scopes": "table://my.app.test.tokenapi level://admin" }' curl -i -H "Authorization: Bearer $token" -H 'Content-Type: application/json' -X POST "$base_url/ws/accounts/$domain/credentials/tokens" --data ' { "name": "Alerts token created by API", "user": "'"$user"'", "audience": "alerts", "scopes": "table://my.app.test.tokenapi level://admin" }' curl -i -H "Authorization: Bearer $token" -H 'Content-Type: application/json' -X POST "$base_url/ws/accounts/$domain/credentials/tokens" --data ' { "name": "HTTP ingestion token created by API", "user": "'"$user"'", "audience": "http", "scopes": "table://my.app.test.tokenapi level://admin" }' curl -i -H "Authorization: Bearer $token" -H 'Content-Type: application/json' -X POST "$base_url/ws/accounts/$domain/credentials/tokens" --data ' { "name": "HTTP ingestion token for all tables created by API", "user": "'"$user"'", "audience": "http", "scopes": "table://*.** level://admin" }'

Once the new tokens are created, they will appear in the Devo web app, along side the token used as input.

image-20250227-161222.png

Endpoints and methods

{accountName} refers to the Devo domain name. If the domain name is child@parent, do not use child.

Endpoints and methods

Description

Endpoints and methods

Description

POST /ws/accounts/{accountName}/credentials/tokens see below

Creates a new token.

GET /ws/accounts/{accountName}/credentials/tokens see below

Returns a list of all the tokens for the provided account.

GET /ws/accounts/{accountName}/credentials/tokens/{tokenId} see below

Returns all the information of a single token, including the token itself.

PUT /ws/accounts/{accountName}/credentials/tokens/{tokenId}/enable see below

Enables a token.

PUT /ws/accounts/{accountName}/credentials/tokens/{tokenId}/disable see below

Disables a token.

PUT /ws/accounts/{accountName}/credentials/tokens/{tokenId}/rename see below

Changes the name associated with a token.

DELETE /ws/accounts/{accountName}/credentials/tokens/{tokenId} see below

Deletes a token.

 POST /ws/accounts/{accountName}/credentials/tokens

Creates a new token. See permissions.

Path parameters

Add the following path parameters as part of the endpoint:

Parameter

Type

Description

Parameter

Type

Description

accountName required

string

The name of the account.

Payload:

{ "name": "string", "user": "email", "audience": "string", "scopes": "string", "expiresInSeconds": 86400 }

  • name is optional, and defaults to 'Unnamed' when not present.

  • user is required. See permissions.

  • audience is optional. When not present, the API will add all audiences for which user has permission. Allowed audiences and their required policies include:

    • aggregations: Manages aggregation tasks. Requires the 'Finders (view)' and 'Domain aggregation tasks' permissions.

    • http: Used for HTTP ingestion. Requires the 'Finders (view)' permission.

    • alerts: Required to send requests to the alerts APIs. Requires the 'Finders (view)' permission. The API will further refine permissions based on the specific endpoint and the authorized user's access grants.

    • apiv2: Allows querying data and managing the user's own jobs. Requires the 'Finders (view)' permission.

    • apiv2-admin: Allows querying data and managing all domain jobs. Requires both the 'Finders (view)' and 'Apiv2 Token (view)' permissions.

    • credentials: Requires the 'Credentials (manage)' permission.

  • scopes is optional and defaults to table://*.** level://user when not present. Accepted values are:

    • level:

      • level://user → normal users

      • level://admin → admin level users

    • table:

      • table://*.** → all tables

      • table://specific.table.name.example → single table
        A scope that specifies at least three tag levels is recommended for security. The default grants access to all data.

  • expiresInSeconds is optional and defaults to 86400 when not present. Use the value -1 to create a permanent token.

scopes and audience can take multiple values, separated by spaces. Examples:

  • audience: aggregations http apiv2

  • scopes: level://user table://*.**

Find below a request example:

URL

https://api-us.devo.com/xxx/ws/accounts/sampleAccount/credentials/tokens

Body

{ "name": "Token created from the Credentials API", "user": "owner@email.com", "audience": "http", "scopes": "level://admin", "expiresInSeconds": -1 }

Creating a token returns the location header with the URI where the resource can be located.

Code

Description

Code

Description

200

Successful response. Token created.

{ "id": 171717171, "scope": "level://admin", "audience": "aggregations", "name": "Token created from the Credentials API", "owner": "owner@email.com", "user": "owner@email.com", "token_type": "Bearer", "account": "sampleAccount", "expires_in_seconds": -1, "active": true, "created": "2025-02-21T08:25:59.000+0000", "updated": "2025-02-21T08:25:59.000+0000", "expiration": null, "token": "3x33xx33x3333x3333x3xx3333x333x3" }

4xx

Bad request.

{ "error": { "code": 4xx, "message": "string" } }

 GET /ws/accounts/{accountName}/credentials/tokens

Lists all the tokens for the provided account. This endpoint returns information about the tokens and their IDs but does not include the token values for security reasons.

Expired tokens will be returned with the active parameter set as false.

Path parameters

Add the following path parameters as part of the endpoint:

Parameter

Type

Description

Parameter

Type

Description

accountName required

string

The name of the account.

Find below a request example:

https://api-us.devo.com/xxx/ws/accounts/sampleAccount/credentials/tokens

Code

Description

Code

Description

200

Successful response. List of tokens retrieved.

[ { "name": "a", "id": 1, "scope": "table://*.** level://admin", "owner": "web-testing+auto-admin@devo.com", "user": "web-testing+auto-admin@devo.com", "audience": "apiws-admin aggregations apiws", "token_type": "Bearer", "active": true, "expiration": "2024-11-26T14:38:18.000+0000", "account": "sampleAccount", "created": "2024-11-25T14:38:18.000+0000", "updated": "2024-11-25T14:38:18.000+0000", "expires_in_seconds": 86400 }, { "name": "b", "id": 2, "scope": "table://*.** level://admin", "owner": "web-testing+auto-admin@devo.com", "user": "web-testing+auto-admin@devo.com", "audience": "apiws-admin aggregations apiws", "token_type": "Bearer", "active": true, "expiration": "2024-11-26T14:38:18.000+0000", "account": "sampleAccount", "created": "2024-11-25T14:38:18.000+0000", "updated": "2024-11-25T14:38:18.000+0000", "expires_in_seconds": 86400 } ]

4xx

Bad request.

{ "error": { "code": 4xx, "message": "string" } }

 GET /ws/accounts/{accountName}/credentials/tokens/{tokenId}

Returns full details of a single token identified by its ID. The response to this request includes the actual token value.

Expired tokens will be returned with the active parameter set as false.

Path parameters

Add the following path parameters as part of the endpoint:

Parameter

Type

Description

Parameter

Type

Description

accountName required

string

The name of the account.

tokenId required

string

The ID of the token.

Find below a request example:

https://api-us.devo.com/xxx/ws/accounts/sampleAccount/credentials/tokens/3

Code

Description

Code

Description

200

Successful response. Token retrieved.

{ "name": "test", "id": 3, "scope": "table://*.** level://admin", "owner": "web-testing+auto-admin@devo.com", "user": "web-testing+auto-admin@devo.com", "audience": "apiws-admin aggregations apiws", "token_type": "Bearer", "active": true, "expiration": "2024-11-26T14:38:18.000+0000", "token": "31089320378051f1a2ee17c14028f056", "account": "sampleAccount", "created": "2024-11-25T14:38:18.000+0000", "updated": "2024-11-25T14:38:18.000+0000", "expires_in_seconds": 86400 }

4xx

Bad request.

{ "error": { "code": 4xx, "message": "string" } }

 PUT /ws/accounts/{accountName}/credentials/tokens/{tokenId}/enable

Enable token by ID.

Path parameters

Add the following path parameters as part of the endpoint:

Parameter

Type

Description

Parameter

Type

Description

accountName required

string

The name of the account.

tokenId required

string

The ID of the token.

Find below a request example:

https://api-us.devo.com/xxx/ws/accounts/sampleAccount/credentials/tokens/3/enable

Code

Description

Code

Description

200

Successful response. Token enabled.

4xx

Bad request.

{ "error": { "code": 4xx, "message": "string" } }

 PUT /ws/accounts/{accountName}/credentials/tokens/{tokenId}/disable

Disable token by ID.

Path parameters

Add the following path parameters as part of the endpoint:

Parameter

Type

Description

Parameter

Type

Description

accountName required

string

The name of the account.

tokenId required

string

The ID of the token.

Find below a request example:

https://api-us.devo.com/xxx/ws/accounts/sampleAccount/credentials/tokens/3/disable

Code

Description

Code

Description

200

Successful response. Token disabled.

4xx

Bad request.

{ "error": { "code": 4xx, "message": "string" } }

 PUT /ws/accounts/{accountName}/credentials/tokens/{tokenId}/rename

This endpoint updates the name associated with a token, identified by its ID.

Path parameters

Add the following path parameters as part of the endpoint:

Parameter

Type

Description

Parameter

Type

Description

accountName required

string

The name of the account.

tokenId required

string

The ID of the token.

Payload:

{ "value": "your new token name" }

If the new name is empty or null, the service will still return OK, but the token name will remain unchanged.

Find below a request example:

https://api-us.devo.com/xxx/ws/accounts/sampleAccount/credentials/tokens/3/rename

Code

Description

Code

Description

200

Successful response. Token renamed.

4xx

Bad request.

{ "error": { "code": 4xx, "message": "string" } }

 DELETE /ws/accounts/{accountName}/credentials/tokens/{tokenId}

Deletes a token from an account.

Only to be used when the token is to be removed from the service. There is no coming back from this, and once a token is deleted then it's gone for good.

Path parameters

Add the following path parameters as part of the endpoint:

Parameter

Type

Description

Parameter

Type

Description

accountName required

string

The name of the account.

tokenId required

string

The ID of the token.

Find below a request example:

https://api-us.devo.com/xxx/ws/accounts/sampleAccount/credentials/tokens/3

Code

Description

Code

Description

200

Successful response. Token deleted.

4xx

Bad request.

{ "error": { "code": 4xx, "message": "string" } }