Getting started with REST API and Application Key ...

jasong · ‎Oct 31, 2012

I'm looking around and don't see much if any documentation as to how Application Key Authentication works in the ThingWorx REST API.

I have an automated external program that wants to talk to ThingWorx, what does the authentication pattern look like?

Is the application key just a header in the GET/POST/UPDATE/DELETE HTTPS request, like along side Content-Type? Or do we post to some authentication endpoint and then go from there?

(I already created a key.)

ryanm1 · ‎Oct 31, 2012

The application key can be passed via URL parameter:

http://server/Thingworx/Things?appKey=<your-app-key>

jasong · ‎Oct 31, 2012

Easy enough, I will try it. Thanks.

jasong · ‎Oct 31, 2012

I just realized - that's not secure, even over HTTPS, as the URL is visible.

Any solution to that?

jasong · ‎Oct 31, 2012

I just realized - that's not secure, even over HTTPS, as the URL is visible.

Any solution to that?

jasong · ‎Oct 31, 2012

I am running into a security issue with this -

"Not authorized for ServiceInvoke on in "

I don't see any ability to assign a app key to a group or allow any keys or the like. Am I missing something?

ryanm1 · ‎Nov 01, 2012

When you created the Application Key, you had to assign a User to it. This is the user that is used in the security context at runtime. So the User that is assigned to your AppKey does not have permission to invoke the specific service.

jasong · ‎Nov 01, 2012

Alright folks, we're getting there. I was able to restart my browser and resolve the quirky inability to assign a user group to some of my Things so I no longer get a security error.

Now, I am trying the App Key in the header and having no success. It does work in the URL.

This works as you described

POST URL

http://SERVER/Thingworx/Things/THING/Services/SERVICE?appKey=123456-789123456-789456123456

Headers:

Content-Type : application/json

This does NOT work, and is the method we need to go with

POST URL

http://SERVER/Thingworx/Things/THING/Services/SERVICE

Headers:

Content-Type : application/json

appKey : 123456-789123456-789456123456

What am I missing?

ryanm1 · ‎Nov 01, 2012

That looks correct. I'm doing something similar using the POSTER Firefox plugin and it works. I did not set the content-type however. Any errors either in your test application (wireshark?) or on the TW server?

jasong · ‎Nov 01, 2012

Alright, POSTER adds a lot of other extra headers which you cannot control. My problem in Fiddler2 was that I had an extra space in the app key header as it's transmitted, as headers in HTTP must be
HEADER: key

Whereas I was sending

HEADER[SPACE]: key

My bad there.

POSTER was acting strangely, and one header (a cookie) it included was causing it to work every other time.

So problem solved, I think. Thanks for the help. For future reference, the packet that worked:

http://SERVER/Thingworx/Things/THING/Services/SERVICE

Content-Type: application/json

appKey: 1c73c437-b516-4507-86a5-cdec33660c89

Getting started with REST API and Application Key Authentication

Getting started with REST API and Application Key Authentication