We support and recommend the security principle of least privilege by allowing you to create access tokens for your systems with only those permissions required to access services and perform the functions they require.
Use least privilege
Rather than simply creating a single access token with many permissions you should consider creating multiple access tokens and only granting the permissions needed for each system. This increases security and limits damage should you ever have a token compromised.
Within the Portal click on the Access Token option in the Hub section of the left hand menu to open the Access Tokens management screen. You can create, revoke and view the permissions for issued access tokens in this screen.
In the access tokens management screen click on the Add New Access Token button fill in the Name and Profile fields. The Name field describes the access token or its intended purpose such as the system that will use it. The ProfileId field is for setting the identity for the token i.e. the profile this token represents. This is particularly useful for App Messaging where you want to message users as a virtual system user, for some channels such as SMS this will have little affect.
Now click Next to choose your permissions:
To make it easier for you to assign the required permissions to your token we have created some permission templates based on common uses, such as:
- Use the Enterprise Communications API to send on all channels
- Use the Enterprise Communications API to send on all channels, plus Branch
- Manage profiles and data
- Create Facebook opt-in data
- Manage App Messaging conversations
Simply tick all the common scenarios that you require for your access token, for general sending we recommend One API Access – All Channels + Branch.
By clicking on the Advanced options links under the common permission sets you can tweak your permissions at the most granular level and add permissions for other services such as platform configuration services.
Each service and it associated permissions will be shown in a tree view with any permissions selected from the common permission sets if you have selected any.
Simply select / deselect until you have the permissions you require and then click Save to create an access token.
Now click Create to create you token, you will not be able to change permissions once the token is created!
Your access token will be shown with a convenient copy button on the right hand side. Ensure you copy this now and store it somewhere safe as it cannot be retrieved once you have navigated away from this page for security reasons.
Revocation cannot be undone
Revoked access tokens cannot be reinstated, so please be sure before revoking.
If you have an access token compromised or simply need to rotate them as part of your security practices and procedures you can easily revoke a token by:
- Opening the Portal, then click on the Access Tokens option in the Hub section of the left hand menu.
- Find the access token you want to revoke
- Click the Revoke button and confirm the action; please ensure you are sure you want to revoke the access token as it cannot be undone!
Updated over 1 year ago