API/Device Tokens

API/Device tokens can be created when you want to integrate with a third party or device, but maintain authentication separation from your main user/secret. For instance, if you you want to provide a token to a third party, but maintain the right to revoke it later.

This becomes useful for managing IoT devices independently from your main user.


Once you have a token id and secret, you can use them completely in-place of a user id/secret.

Eg. instead of /api/v1/user/{{userId}} you would put /api/v1/user/{{tokenId}}.

In your header, you would simply replace your user token with the auth token secret:

Authorization: Bearer {{tokenId}}


Tokens have a set of scopes (separated by a space ) that specify what you are allowed to do with that given set of credentials.

  • user
  • user.update
  • topic
  • topic.create
  • topic.update
  • topic.delete
  • subscription.create
  • subscription.update
  • subscription.delete
  • token
  • token.create
  • token.update
  • token.delete
  • event
  • event.aggr
  • template
  • template.exec
  • template.create
  • template.update
  • template.delete


You can authenticate externally with the OpenID Connect (OIDC) flow. Read more about it here