Skip to main content

API Tokens

DX Engine uses API tokens for authentication and authorization. There are two types of tokens, each with different permission levels and use cases.

Token Types

Management Tokens

Management tokens provide elevated administrative access to your customer account.

Permissions:

  • Create, read, update, and delete (CRUD) operations on all resources
  • Manage Flows, Components, Connections, Secrets, and other DX Engine elements
  • Backup and export configurations
  • Full administrative control over your customer instance

Use Cases:

  • Configuration management through DX Engine APIs
  • Automated deployment and CI/CD pipelines
  • Backup and restore operations
  • Development and testing environments

Security Considerations:

  • Never use management tokens in front-end applications
  • Store securely in backend services or CI/CD systems
  • Rotate regularly as part of security best practices
  • Limit access to authorized personnel only

Token Expiration

  • By default the tokens do not expire, but expiring tokens can be requested for enhanced security. Customers are responsible for keeping track of the token expiry and getting new tokens issued before they expire to ensure smooth operation.

Query Tokens

Query tokens provide minimal permissions for runtime operations.

Permissions:

  • Invoke Components and Flows
  • Invalidate cache entries
  • Read-only access to execute configured experiences

Use Cases:

  • Front-end applications (web, mobile)
  • Client-side API calls
  • Production runtime queries
  • Public-facing integrations

Security Considerations:

  • Safe to use in front-end applications
  • Minimal risk if exposed, as they cannot modify configurations
  • Can be embedded in client-side code
  • Recommended for all customer-facing implementations

Token Expiration

  • Only non expiring query tokens will be issued.

Token Comparison

FeatureManagement TokenQuery Token
CRUD Operations✅ Full access❌ No access
Invoke Components/Flows✅ Yes✅ Yes
Backup/Export✅ Yes❌ No
Cache Invalidation✅ Yes✅ Yes
Front-end Safe❌ No✅ Yes

Generating API Tokens

All users are given a set of API tokens when they are granted access to the Conscia console. In case a new set of tokens are required, please contact us.

Best Practices

  1. Use the Right Token Type

    • Query tokens for front-end and runtime operations
    • Management tokens for backend administrative tasks only

  2. Secure Storage

    • Store management tokens in secure vaults or environment variables
    • Never commit tokens to version control
    • Use secrets management tools (AWS Secrets Manager, Azure Key Vault, etc.)

  3. Token Rotation

    • Rotate management tokens regularly (quarterly or as per security policy)
    • Generate new tokens when team members leave
    • Revoke unused or compromised tokens immediately

  4. Environment Separation

    • Use different tokens for different environments (dev, staging, production)
    • Limit production token access to essential personnel

  5. Monitoring

    • Monitor token usage for unusual activity
    • Set up alerts for unauthorized access attempts
    • Audit token usage regularly