Skip to main content
A
Anonymous
October 31, 2012
Question

Getting started with REST API and Application Key Authentication

  • October 31, 2012
  • 8 replies
  • 15700 views

I'm looking around and don't see much if any documentation as to how Application Key Authentication works in the ThingWorx REST API.

I have an automated external program that wants to talk to ThingWorx, what does the authentication pattern look like?

Is the application key just a header in the GET/POST/UPDATE/DELETE HTTPS request, like along side Content-Type? Or do we post to some authentication endpoint and then go from there?

(I already created a key.)

8 replies

R
ryanm11-Visitor
1-Visitor
October 31, 2012

The application key can be passed via URL parameter: 


http://server/Thingworx/Things?appKey=<your-app-key>



    A
    Anonymous
    October 31, 2012

    Easy enough, I will try it. Thanks.

    A
    Anonymous
    October 31, 2012

    I just realized - that's not secure, even over HTTPS, as the URL is visible.


    Any solution to that?



    A
    Anonymous
    October 31, 2012

    I just realized - that's not secure, even over HTTPS, as the URL is visible.


    Any solution to that?



    A
    Anonymous
    October 31, 2012

    I am running into a security issue with this - 

    "Not authorized for ServiceInvoke on in "

    I don't see any ability to assign a app key to a group or allow any keys or the like. Am I missing something?



    R
    ryanm11-Visitor
    1-Visitor
    November 1, 2012

    When you created the Application Key, you had to assign a User to it. This is the user that is used in the security context at runtime. So the User that is assigned to your AppKey does not have permission to invoke the specific service.

    A
    Anonymous
    November 1, 2012

    Alright folks, we're getting there. I was able to restart my browser and resolve the quirky inability to assign a user group to some of my Things so I no longer get a security error.

    Now, I am trying the App Key in the header and having no success. It does work in the URL.


    This works as you described

    POST URL

    http://SERVER/Thingworx/Things/THING/Services/SERVICE?appKey=123456-789123456-789456123456


    Headers:

    Content-Type : application/json


    This does NOT work, and is the method we need to go with

    POST URL

    http://SERVER/Thingworx/Things/THING/Services/SERVICE


    Headers:

    Content-Type : application/json

    appKey : 123456-789123456-789456123456


    What am I missing?



    R
    ryanm11-Visitor
    1-Visitor
    November 1, 2012

    That looks correct. I'm doing something similar using the POSTER Firefox plugin and it works. I did not set the content-type however. Any errors either in your test application (wireshark?) or on the TW server?

    A
    Anonymous
    November 1, 2012

    Alright, POSTER adds a lot of other extra headers which you cannot control. My problem in Fiddler2 was that I had an extra space in the app key header as it's transmitted, as headers in HTTP must be 
    HEADER: key

    Whereas I was sending

    HEADER[SPACE]: key


    My bad there.


    POSTER was acting strangely, and one header (a cookie) it included was causing it to work every other time.


    So problem solved, I think. Thanks for the help.  For future reference, the packet that worked:


    http://SERVER/Thingworx/Things/THING/Services/SERVICE

    Content-Type: application/json

    appKey: 1c73c437-b516-4507-86a5-cdec33660c89



    Terms & ConditionsAccessibility statement