Managing access tokens

After an user has authorized their access with the Proof of Key, the client receives an access token that specifically includes the information of the asset ID used to restrict the resource. This access token allows the user to immediately access the resource without having to go through the Proof of Key process again. With the access token, the user does not have to repeat the process again and can easily access the resource if for any reason they for example had to close or reset the client.

The access token only allows the user to access the resource that asks for the specified asset ID in the access token itself. Validity of the token is also very short and is only used for very short repeated access. The access token should be verified with the Ambitorio server to see if the token is a valid Ambitorio token and hasn’t expired.

Verifying access token

To verify the access token, the following function can be used:

validateAccessToken(token, [config]);
  • token: The access token that has to be verified
  • config: Optional configuration that are detailed in this page.

If the access token can be verified, then the returned object shows the content of the access token:

{
  "assetIds": ["0c2f1cc1f71ccaa5822c30001"]
}

With the list of asset IDs, the client can see which resources can be accessed by the user without having to go through the Proof of Key process.

Security implications

  • Access tokens are signed by Ambitorio and can’t be manipulated.
  • The access token is valid for only 15 minutes.

Ambitorio class object

The Ambitorio class object allows an easier way to maange access tokens. It keeps an array of access tokens ready and can be accessed directly to allow an user to access the restricted content without having to request a new challenge.

An access token is an object that holds the assetId and the accessToken:

{
  assetId: string;
  token: string;
}

Searching for the access token

The array of access tokens can be easily accessed at any time with ambitorio.accessTokens. This can then be filtered to find the corresponding access token needed:

const accessToken = ambitorio.accessTokens.find(
  (access) => access.assetId === "305261e3c7ffc8a9b15d0001"
);
console.log(accessToken.token); // v4.public.eyJhc3NldElkIjoiMzA1MjYxZTNjN2ZmYzhhOWIxNWQwMDAxIiwiaWF0IjoiMjAyMi0wMS0zMFQxMzoyNjoyOC42MDBaIiwiZXhwIjoiMjAyMi0wMS0zMFQxMzo0MToyOC42MDBaIn0tBYMxlv3vY77h-xFrIOqIAWFtTfEDroeek-iLni_ljw3-YCrQsmmLm-uIIQl5XDbYJEG89CBoUKSl2nnyWf8N

Restoring access tokens

A class object can be optionally created by passing an array of access tokens. This is useful if the client should save a list of access tokens (for example if the client crashes) and restore it for use later.

const ambitorio = new Ambitorio(["305261e3c7ffc8a9b15d0001"]);

Callback for access tokens changes

Optionally, the client can also create a class object with a function that is used as a callback for any access token array changes:

const ambitorio = new Ambitorio([], () => {
  console.log("Token array changed");
});

This is useful if the client should save every array changes into local storage or to show changes in the UI.

Verifying access token

With the token, the access token can now be verified to the Ambitorio server:

validateAccessToken(accessToken.token);

If the token is not valid, the token is automatically removed from the array.

← Integrating Proof of Key
Config →