API Tokens
Developers use Security Cloud Control API tokens when making Security Cloud Control REST API calls. The API token must be inserted in the REST API authorization header for a call to succeed. API tokens are "long-lived" access tokens which do not expire; however, you can renew and revoke them.
You can generate API tokens from within Security Cloud Control. These tokens are only visible immediately after they're generated and for as long as the General Settings page is open. If you open a different page in Security Cloud Control and return to the General Settings page, the token is no longer visible, although it is clear that a token has been issued.
Individual users can create their own tokens for a particular tenant. One user cannot generate a token on behalf of another. Tokens are specific to an account-tenant pair and cannot be used for other user-tenant combinations.
API Token Format and Claims
The API token is a JSON Web Token (JWT). To learn more about the JWT token format, read the Introduction to JSON Web Tokens.
The Security Cloud Control API token provides the following set of claims:
-
id - user/device uid
-
parentId - tenant uid
-
ver - the version of the public key (initial version is 0, for example, cdo_jwt_sig_pub_key.0)
-
subscriptions - Security Services Exchange subscriptions (optional)
-
client_id - "api-client"
-
jti - token id