OAuth Tokens and Personal Access Tokens
What are OAuth Tokens?
You don’t want to give a password of a Xurrent user to an application or integration layer. In the event of a breach in that application or in the integration layer, you want the Xurrent password to remain safe. And you want the integration to have access only to the data that are really required and nothing more.
That’s where OAuth Tokens come into play. You will not share password data but instead OAuth Tokens with your integrations. Based on these OAuth Tokens and on the scope you define for the OAuth Token you will allow an integration to access the Xurrent service without giving away your password. And you are able to specify excactly what the integration is allowed to create, read, update and delete.
You can obtain an OAuth token either by generating a Personal Access Token from My Profile in Xurrent, or by creating an OAuth Application from the Settings console in Xurrent.
In this training you will use a Personal Access Token. When you build an integration we advise you to create an OAuth Application.
Creation of a Personal Access Token
Let’s create now a Peronal Access Token for Howard Tanner that you will use in the exercises during the rest of this training. To do so, log in as Howard Tanner to Widget Data Center and click on the avatar of Howard in the upper right. Select the option ‘My Profile’.
Next, open the ‘Personal Access Tokens’ section. Click on the ‘Generate new token’ button or on the ‘+’ sign in the header bar to create a new Personal Access Token.
Give your Personal Access Token a name. This name should be meaningful. In this case you could name your personal access token ‘Integrations Training’.
A Personal Access Token has a Scopes section in which you will need to define what record types can be accessed. Click on the Add record types button and check the list of available record types.
It is a bad practice to give more access rights to a personal access token than needed. So for now you will not add any record types to the scope. You will do so at the start of each exercise, making sure that this personal access token has access to the relevant record types and nothing more.
Note that a personal access token from Howard Tanner will never gain more access than Howard Tanner has. As Howard Tanner has the Account Administrator role of five Xurrent accounts, his personal access token can get access to most of the record types in the list.
For the exercises in this training, you will only need to access records from the Widget Data Center account and from the Widget International (directory) account. Specify in the scope section of your peronal access token these two accounts.
Now you can generate your token. To the right of the newly generated token you have a Copy function. Make sure to copy your new personal access token and save it in a .txt file or note. You will not be able to see the token again, and you cannot recover it later.