API Keys and Key Permissions

In the EVRYTHNG Platform, two mechanisms govern how actors (users through operator access, and machines or services through access tokens) can interact with resources. These mechanisms are called permissions and conditions. In broad terms, permissions determine the type of resources an actor can see or change. Conditions determine the particular resources an actor can see or change.
See Roles and Permissions to learn more about roles. See Restrictive Conditions to understand how conditions work.

Each time you call the API, the Platform confirms the API key exists. The key's permissions allow or deny that call to be made. If this security check fails, the response is 403 Forbidden.

The API key also defines the resources the actor is restricted to. For example, permissions allow the caller to interact with factories, and conditions restrict the actor to only factory 1 and factory 2. Depending on the API key used, the platform determines the account you're permitted to see and, if applicable, the resources that are scoped to that account.


Key Types

Operator API Key

An Operator API Key represents an owner or collaborator on an account. It's generated when you create a user account. An Operator collaborating on several accounts gets a new Operator API Key for each account. If the key is compromised, you can regenerate it anytime through the Dashboard in the 'Account Settings' section.

❗️

Important

The Operator API Key gives the most access to your account (including all resources) and must be kept secret. To prevent abuse, it must never be used in publicly accessible code.

Access Token

An access token represents an anonymous user or service that's allowed to access the platform on an account. An authorized Operator creates this token through the Access Tokens API and assigns roles and conditions to control the token's access. It's the secret counterpart key designed to be used only by back-end applications for which code isn't exposed, such as Ruby, PHP, Java, or Node apps when they require additional permissions to create or change resources. Do not use the access token or Operator API key in client-side applications.

Read more about Access Tokens and Operator Access to learn how to manage these keys.