Skip to content

API Authentication and Authorization

Paanda use Token Based Authentication

Token based authentication works by ensuring that each request to a server is accompanied by a signed token which the server verifies for authenticity and only then responds to the request.

Token is used to identify your account , Teams, and Roles. Paanda has built-in support for

  • Accounts Management,
  • Teams Management,
  • Roles Management

Most of REST endpoints require authentiction (token), there are two types of tokens in system

  • token - used for simplified API access
  • JWTtoken - generated using username and password or token

Authorization using username and password or API token

Note

The "createCookie" parameter is optional. By default, it is set to false. If you wish to create a cookie, set this parameter to true.

Using username and password

HTTP
1
2
3
curl -X POST {{host}}/api/core/account/login 
-H "Content-Type: application/json"
-d '{"username":"{{username}}","password":"{{password}}","createCookie":false}'

Return JWTtoken

Using token

HTTP
1
2
3
curl -X POST {{host}}/api/core/account/login 
-H "Content-Type: application/json"
-d '{"username":"api","password":"{{token}}","createCookie":false}'

Authentication

Note

  • Authorization header must be base64 encoded
  • curl use -u option to send Authorization Basic (curl has built-in support for base64 encoding)
  • curl use -H option to send Authorization Token (curl has built-in support for base64 encoding)
HTTP
curl {{host}}/api/core/system/ping
-u api:{{token}}
HTTP
curl {{host}}/api/core/system/ping
-H "Authorization: Token {{token}}"
HTTP
curl {{host}}/api/core/system/ping
-H "Authorization: Bearer {{JWTtoken}}"
HTTP
curl {{host}}/api/core/system/ping
-H "Authorization: Bearer {{token}}"

Authorization using Token in query parameters

Security risk

  • Sending authorization token in query parameters is not secure, it is recommended to use header
  • This method should be used in fully controlled environment, ex. in internal network
HTTP
curl {{host}}/api/core/system/ping?ptoken=api:{{token}}
HTTP
curl {{host}}/api/core/system/ping?ptoken={{JWTtoken}}

You need to attach cookie to request with name ptoken={{JWTtoken}}