Every ARTIK cloud services API call requires an access token. There are three types of tokens: user token, application token, and device token. Some API calls may accept different combinations of request parameters depending on the token type provided. Rate limits also differ between the three token types. Therefore, it is very important to understand when and how to use each token type.
A user token can access data of a specific user. An application token can access data of all users that have granted permissions to the application. A device token can access data of a specific device. Authentication explains how to obtain and use an access token.
A user token is associated with a specific user. The token is obtained via the Authorization Code, Authorization Code with PKCE, Implicit, or Limited Input method. You will also need the application ID. During the process of obtaining the token, a login UI is presented to the user. Each user token has an expiration time, the
expires_in response parameter of the authentication API call. After a user token expires, you can refresh the token.
An application token is associated with an application (aka application ID). The token is obtained via the Client Credentials method. You will also need the application ID. An application token is short-lived compared to a user token. Its expiration time is the
expires_in response parameter of the authentication API call. After an application token expires, you cannot refresh it. However, you can use the Client Credentials method again to get a new application token. Since there is no login UI involved, it is convenient to obtain an application token.
A device token is associated with a specific device. There are two ways to obtain a device token:
API calls with the device token can only be used to access the information related to that device. The device token does not have a pre-set expiration time. It expires only if the token is revoked through the API call or My ARTIK Cloud.