Converting your application to use tokens

All applications, script, utilities, services, and remote clients, which use the Web SDK or CodeSign Protect REST, require integration. When customizing your integrated application to use tokens, choose the design pattern that most closely matches your application, utility, or client.

In the UI, the API Integration settings should meet scope and token requirements for your application. For more information, see Setting up access token authentication.

Recommended when another application supplies the access and refresh tokens to your application or service:

  1. Another source, such as VCert or the PKI team, supplies the initial access token, access token expiration, and refresh token.
  2. Your application securely stores the tokens and expiration date.
  3. Your application passes the access token in the header of every API call. For more information, see Passing a bearer token in your API calls.
  4. Before the access token expires, your application uses the refresh token to get a new set of tokens. These tokens replace those previously stored. For more information, see POST Authorize/Token refresh.
  1. Trust Protection Platform credentials, such as username and password or client certificate with password, are provided to the application for initialization.
  2. Your application uses the credentials to obtain an access token and refresh token. For more information, see Getting a token.
  3. Your application securely stores the tokens and expiration date.
  4. Your application passes the access token in the header of every API call. For more information, see Passing a bearer token in your API calls.
  5. Before the access token expires, your application uses the refresh token to get a new set of tokens. These tokens replace those previously stored. For more information, see POST Authorize/Token refresh.

Recommended when your utility or script has a short execution time that won’t outlive the token, similar to VCert:

  1. Another source obtains the access token.
  2. When your utility or script invokes, it retrieves the token.
  3. Your utility or script passes the access token in the header of every API call. For more information, see Passing a bearer token in your API calls.

Recommended as the simplest way for a utility or script to use tokens while relying on traditional user credentials:

  1. (Recommended) The API default settings, or the API application's settings have a 1-day grant and refresh capability is disabled. A 1-day grant with no refresh ensures the token won't be around long if the utility aborts before it can revoke the token.  For more information, see Setting up access token authentication.
  2. During start up, your utility or script has the Trust Protection Platform credentials, such as username/password or client certificate with password.
  3. Your utility or script uses the credentials to receive the access token. For more information, see Getting a token.
  4. Your utility or script passes the access token in the header of every API call. For more information, see Passing a bearer token in your API calls.
  5. Upon completion, your utility or script calls GET Revoke/Token.