Access token authorization level

Access Token (called access_token in API operations parameters) identifies both application and user, and allows them to perform API calls on topoos platform.

Some operations need to be safer than others: for example if a user gets his own Access Token in any way, he would do inappropriate use of it, because he is able to make API calls directly to topoos in your app context, or even delete content.

To avoid this type of attack, there are Access Tokens with different authorization levels:

  • Administrator Authorization
  • Authorization (also called User Authorization).
Because of this roles separation, both Administrator and User Authorization can make API calls with User Authorization level, but only an Administrator Level Access Token may delete and update content, and performs other admin operations.

The authorization level required for each operation is specified in the API Reference Documentation for each operations.

How to get an Access Token with Administrator Authorization

You get a valid Access Token with Administrator Authorization level in the application creation step. It is called APPADMIN_TOKEN in app configuration in the Developers Panel.

How to get an Access Token with User Authorization

You get a valid Access Token with User Authorization level when you get an Access Token by using OAuth 2.0.

You also got a valid Access Token with User Authorization level in the application creation step. It is called APPUSER_TOKEN in app configuration in the Developers Panel, and it is useful if your app is single-user.