cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Need to share some code when posting a question or reply? Make sure to use the "Insert code sample" menu option. Learn more! X

Getting started with REST API and Application Key Authentication

jasong
1-Newbie

Getting started with REST API and Application Key Authentication

I'm looking around and don't see much if any documentation as to how Application Key Authentication works in the ThingWorx REST API.

I have an automated external program that wants to talk to ThingWorx, what does the authentication pattern look like?

Is the application key just a header in the GET/POST/UPDATE/DELETE HTTPS request, like along side Content-Type? Or do we post to some authentication endpoint and then go from there?

(I already created a key.)

9 REPLIES 9
ryanm1
1-Newbie
(To:jasong)

The application key can be passed via URL parameter: 


http://server/Thingworx/Things?appKey=<your-app-key>



jasong
1-Newbie
(To:jasong)

Easy enough, I will try it. Thanks.

jasong
1-Newbie
(To:jasong)

I just realized - that's not secure, even over HTTPS, as the URL is visible.


Any solution to that?



jasong
1-Newbie
(To:jasong)

I just realized - that's not secure, even over HTTPS, as the URL is visible.


Any solution to that?



jasong
1-Newbie
(To:jasong)

I am running into a security issue with this - 

"Not authorized for ServiceInvoke on in "

I don't see any ability to assign a app key to a group or allow any keys or the like. Am I missing something?



ryanm1
1-Newbie
(To:jasong)

When you created the Application Key, you had to assign a User to it. This is the user that is used in the security context at runtime. So the User that is assigned to your AppKey does not have permission to invoke the specific service.

jasong
1-Newbie
(To:jasong)

Alright folks, we're getting there. I was able to restart my browser and resolve the quirky inability to assign a user group to some of my Things so I no longer get a security error.

Now, I am trying the App Key in the header and having no success. It does work in the URL.


This works as you described


POST URL

http://SERVER/Thingworx/Things/THING/Services/SERVICE?appKey=123456-789123456-789456123456


Headers:

Content-Type : application/json



This does NOT work, and is the method we need to go with


POST URL

http://SERVER/Thingworx/Things/THING/Services/SERVICE


Headers:

Content-Type : application/json

appKey : 123456-789123456-789456123456



What am I missing?



ryanm1
1-Newbie
(To:jasong)

That looks correct. I'm doing something similar using the POSTER Firefox plugin and it works. I did not set the content-type however. Any errors either in your test application (wireshark?) or on the TW server?

jasong
1-Newbie
(To:jasong)

Alright, POSTER adds a lot of other extra headers which you cannot control. My problem in Fiddler2 was that I had an extra space in the app key header as it's transmitted, as headers in HTTP must be 
HEADER: key

Whereas I was sending

HEADER[SPACE]: key


My bad there.


POSTER was acting strangely, and one header (a cookie) it included was causing it to work every other time.


So problem solved, I think. Thanks for the help.  For future reference, the packet that worked:


http://SERVER/Thingworx/Things/THING/Services/SERVICE

Content-Type: application/json

appKey: 1c73c437-b516-4507-86a5-cdec33660c89



Top Tags