API Tokens
Developers use CDO API tokens when making CDO REST API calls. The API token must be inserted in the REST API authorization header for a call to succeed. API tokens are "long-lived" access tokens which do not expire; however, you can renew and revoke them.
You can generate API tokens from within CDO. These tokens are only visible immediately after they're generated and for as long as the General Settings page is open. If you open a different page in CDO and return to the General Settings page, the token is no longer visible, although it is clear that a token has been issued.
Individual users can create their own tokens for a particular tenant. One user cannot generate a token on behalf of another. Tokens are specific to an account-tenant pair and cannot be used for other user-tenant combinations.
API Token Format and Claims
The API token is a JSON Web Token (JWT). To learn more about the JWT token format, read the Introduction to JSON Web Tokens.
The CDO API token provides the following set of claims:
id- user/device uidparentId- tenant uidver- the version of the public key (initial version is 0, for example, cdo_jwt_sig_pub_key.0)subscriptions- SSE subscriptions (optional)client_id- "api-client"jti- token id
Token Management
Generate an API Token
- From the user menu, select Settings.
- In My Tokens, click Generate API Token.
- Save the token in a secure location in accordance with your enterprise's best practices for maintaining sensitive data.
Renew an API Token
The API token does not expire. However, users may choose to renew their API token if the token is lost, compromised, or to conform to their enterprise's security guidelines.
- From the user menu, select Settings.
- In My Tokens, click Renew. Defense Orchestrator generates a new token.
- Save the new token in a secure location in accordance with your enterprise's best practices for maintaining sensitive data.
Revoke an API Token
- From the user menu, select Settings.
- In My Tokens, click Revoke. Defense Orchestrator revokes the token.