Community Tip - If community subscription notifications are filling up your inbox you can set up a daily digest and get all your notifications in a single email. X
I'm looking around and don't see much if any documentation as to how Application Key Authentication works in the ThingWorx REST API.
I have an automated external program that wants to talk to ThingWorx, what does the authentication pattern look like?
Is the application key just a header in the GET/POST/UPDATE/DELETE HTTPS request, like along side Content-Type? Or do we post to some authentication endpoint and then go from there?
(I already created a key.)
The application key can be passed via URL parameter:
http://server/Thingworx/Things?appKey=<your-app-key>
Easy enough, I will try it. Thanks.
I just realized - that's not secure, even over HTTPS, as the URL is visible.
Any solution to that?
I just realized - that's not secure, even over HTTPS, as the URL is visible.
Any solution to that?
When you created the Application Key, you had to assign a User to it. This is the user that is used in the security context at runtime. So the User that is assigned to your AppKey does not have permission to invoke the specific service.
Alright folks, we're getting there. I was able to restart my browser and resolve the quirky inability to assign a user group to some of my Things so I no longer get a security error.
Now, I am trying the App Key in the header and having no success. It does work in the URL.
This works as you described
POST URL
http://SERVER/Thingworx/Things/THING/Services/SERVICE?appKey=123456-789123456-789456123456
Headers:
Content-Type : application/json
This does NOT work, and is the method we need to go with
POST URL
http://SERVER/Thingworx/Things/THING/Services/SERVICE
Headers:
Content-Type : application/json
appKey : 123456-789123456-789456123456
What am I missing?
That looks correct. I'm doing something similar using the POSTER Firefox plugin and it works. I did not set the content-type however. Any errors either in your test application (wireshark?) or on the TW server?
Alright, POSTER adds a lot of other extra headers which you cannot control. My problem in Fiddler2 was that I had an extra space in the app key header as it's transmitted, as headers in HTTP must be
HEADER: key
Whereas I was sending
HEADER[SPACE]: key
My bad there.
POSTER was acting strangely, and one header (a cookie) it included was causing it to work every other time.
So problem solved, I think. Thanks for the help. For future reference, the packet that worked:
http://SERVER/Thingworx/Things/THING/Services/SERVICE
Content-Type: application/json
appKey: 1c73c437-b516-4507-86a5-cdec33660c89