In this article:
App tokens overview
Advanced programmers have the ability to create web pages and other systems that interact with Quickbase. This detailed coding is possible through the Quickbase HTTP API. If you plan to make API calls to your app, you'll want to use either user tokens or app tokens.
An app token is an extra string of characters you insert within an API call if the call is using a ticket or username/password for authentication. That string must match one of the app tokens assigned to the app your API call targets. You control whether or not your app requires tokens.
Note: If the API call passes a user token for authentication, an app token is unnecessary.
User tokens vs. app tokens
User tokens and app tokens both help secure your apps. So, when should you use a user token vs. an app token?
User tokens are a form of authentication, whereas app tokens provide permission to access an app in addition to authentication information (either as a ticket or username/password). App tokens ensure that an API call was sent by someone permitted to make API calls against an app, while the ticket ensures it is executed by someone with permissions in the app.
Since user tokens explicitly grant API access to a specific user, they combine both purposes in the same token. So, if you use a user token, you don't need to use an app token. In fact, if you use a user token as your authentication method, Quickbase doesn’t even check for the app token. However, note that it’s not secure to use user tokens in APIs that are called from a browser (for example, on an app dashboard) because someone could extract the token from the JavaScript source and use it to impersonate the user whose token it is. In general, you should treat user tokens with the same care as you do usernames and passwords.
Using app tokens
App tokens are optional and provide an added layer of security to protect your app. App tokens prevent unauthorized persons from creating API calls to your app. You can require app tokens for all your apps. Most API calls require a valid app token.
If you later decide you don't want to use app tokens and your app does not contain sensitive data, you can deactivate tokens for that app. If you do so, API calls will work, even if they specify an app token. But Quickbase recommends using app tokens unless you authenticate using a user token.
Note: A developer can request 1 to 500 app tokens. As a best practice, developers obtain one app token and use it for all of their apps.
Deactivating app tokens
If you want to use exact forms, deactivate app tokens. If you're having trouble incorporating a Quickbase add-on or wizard that uses app tokens, you can deactivate them. Likewise, if your app features formula URL fields that include API calls, you can save yourself the trouble of updating those calls with app tokens by deactivating app tokens. But deactivating app tokens is a workaround solution and means that you'll lose the additional level of security that app tokens provide. In these cases, you can authenticate with a user token to protect your app against malicious access.
Generating a token is a one or two-step process, depending upon whether the token exists already:
-
If no token exists, you must create it and assign it to your app.
-
If you have a token that already exists because it belongs to a Quickbase add-on feature that uses API calls (like the Forms Wizard) or you created the token before, copy or note the token and skip ahead to this topic's section: Assign an existing token to an app.
Accessing the Manage App Tokens page
From the Manage App Tokens page, you can view app tokens for this app, create new tokens, and assign existing tokens to this app.
To access the Manage App Tokens page, or view app tokens:
-
Select the app you want, click Settings, then click App properties.
-
Click Advanced settings to expand the section, if needed.
-
In Security options, find the Require Application Tokens checkbox. Click the Manage Application Tokens link.
Creating and assigning an app token
You can create a token and assign it to an app at the same time. When you do so, the token will be available for assignment to other apps too.
Note: You can also use the createapptoken parameter with Create an app call.
To create a new app token:
-
Click Create New Application Token.
-
Type in a description to remind you what the token does.
-
If you want Quickbase to copy this token when you copy the app, select Ok to Copy.
-
Click OK.
The new token appears in the list of app tokens. API calls containing this token can now interact with the app. The new token is available for assignment to other apps.
Assigning an existing token to an app
If the token you want to assign already exists, assign it to the app with which you want API calls to work.
To assign an existing token to the current app:
-
Click Assign Existing Application Token.
-
Paste or type in the app token.
-
Type in a description to remind you what the token does.
-
Select the OK to Copy checkbox to copy this token when you copy the app.
-
Click OK. API calls containing this token can now interact with the app.
Sample URL featuring an API call with token
Insert the token as you'd insert any parameter in a URL string:
&apptoken=token
Replace token with the actual token itself, as in this example:
https://myaccount.quickbase.com/db/bdz6zm7uy?a=api_clonedatabase&newdbname=MyTestApp&newdbdesc=Testing&keepData=1&apptoken=bghbnjfu7s9amn7akduwomaytzy
For more details about coding API calls, see Quickbase HTTP API documentation.