Org-scoped M2M tokens?
I'm looking to implement programmatic API access for our users so that they can setup org-scoped tokens on their own (for CICD for example). Is there any way to set this up?
22 Replies
Or even just API keys associated with a given user/their org
Hey @andro,
We are currently building a feature to add M2M token scopes (permissions) - see here: https://updates.kinde.com/board/machine-to-machine-application-tokens-api-scopes
Would this solve your use-case?
M2M token scopes (permissions)
M2M token scopes (permissions)
You can give user's access to API keys with your registered API with Kinde - see here: https://docs.kinde.com/developer-tools/kinde-api/access-to-your-api/#via-app-keys
Kinde docs
Give others access to your API
Our developer tools provide everything you need to get started with Kinde.
Yeah this could work given M2M token roles
but i dont want "scopes" i think in ther terminology used, I want roles which assign permissions
Understood.
In the meantime, you could add
feature flag values to a M2M token, and treat those feature flag values as an M2M token role.
I can help you further if you can explain more about your use-case for roles in the M2M token.
Roles are always, and should always, be associated with a user. A M2M token should always be associated with a machine.
So M2M roles does not make sense (architecturally), since there should be any user associated with an M2M token
what im really looking to do is build "personal-access tokens" that are associated with a given organization (so more like "organization-access tokens")
i.e. token exchange would occur with a client id/secret instead of username/password
Understood.
In that case, I would suggest creating an API key per org as per the details here: https://docs.kinde.com/developer-tools/kinde-api/access-to-your-api/#via-app-keys
And give M2M roles with the feature flag workaround mentioned above.
Kinde docs
Give others access to your API
Our developer tools provide everything you need to get started with Kinde.
thanks. is there any eta on m2m token permissions?
i see it is "now" but any insight into what that means?
M2M tokens permissions should be live within the next 2 weeks.
thanks, i'll just wait it out then. any way to sign up for updates on this? great product you all have!
You can be notified when the feature is live by subscribing here: https://updates.kinde.com/board/machine-to-machine-application-tokens-api-scopes
M2M token scopes (permissions)
M2M token scopes (permissions)
Thanks for the feedback
thanks
No worries
Hey @andro,
The API scopes feature mentioned above is actually now live.
You can read details about how to use the feature here: https://docs.kinde.com/developer-tools/kinde-api/custom-api-scopes/#_top
Let me know if you have any questions.
Kinde docs
Secure your API using scopes
Our developer tools provide everything you need to get started with Kinde.
I have a similar question, I need each tenant in my system (Organziation) to be able to generate an access token via an API call to then use to call other API endpoints I have that restricts them to their tenant via OrgCode.
I wasn't able to get the kinde-native system working the way I wanted, so I just wrote my own with a similar structure to github PATs
Hey @mfraser,
Are you able to elaborate a bit more on your use-case?
In your comment above, is "each tenant" a machine representing an organization?
Hey @andro,
I am keen to understand more about what went wrong and why you werent able to get Kinde working the way you wanted, if you are able to share?
1) there's no easy way to tie the token to an org specifically
2) i dont want to pay for scopes when i just want the same permissioning as i give users
3) it would be ideal for API key users to not have to go through the token exchange flow
Andro's response number 1 and 3 nail it, not sure if paying for scopes would even solve the problem.
We plan on having 100's if not more companies integrating to our platform via our API's to manage their data and without and easy way to tie the token to and org things become much more complicated
Right, at that point it makes sense for me to just implement it myself. Provides a better flow for my users as well.