API Access Tokens for non-licensed Users

chanmar
chanmar ✭✭
edited 12/09/19 in API & Developers

I've seen varying information about who can generate an API Token.

For example, I am a "free" unlicensed user who has access to a licensed user's sheets. That licensed user is part of the Enterprise plan. I am setup as a "Viewer". When I try to generate a token, I get a message saying I need to Upgrade my plan.

Can anyone help clarify?

 

Thanks!

«1

Comments

  • dAVE Inden
    dAVE Inden Employee

    Whether or not someone can generate an access token is determined by the status of their account, not the items they have access to in Smartsheet. As a free collaborator you aren't able to generate access tokens. Generating an access token requires having a paid license on your account. I should note that this license needs to be from one of our multi-user plans like the Business plan or Enterprise plan. The license from the Individual plan doesn't include the ability to generate access tokens.

  • MHalvey
    MHalvey ✭✭✭✭✭

    @dAVE Inden - Circling back on this answer. We have a third party company who is paying to develop an API between us. If I as a system admin, licensed, enterprise level user generate an API token for them, do they need to have access to our account or can we just share the sheets they are going to bridge and they can be on their own account in Smartsheet? Thank you for your thoughts on this. - Michael

    "Strive for Progress, not perfection."

  • Paul Newcome
    Paul Newcome ✭✭✭✭✭✭

    @MHalvey I would suggest that someone in the account that is actually going to be using the API generates the token and the API builder(s) use that.

  • MHalvey
    MHalvey ✭✭✭✭✭

    Hey @Paul Newcome - Always a pleasure to speak with you. 😁 So if I'm understanding you correctly, the person who generates the API token should be the user from my company who is the main contact with this third party vendor? This would have to be a licensed user as well since I don't believe non-licensed users can generate API tokens.

    Then would it be correct to assume this third party vendors doesn't need me to invite them into my companies SS account and they can be just an "external contact" shared with the assets they'll use for the bridge between their software and us using Smartsheet?

    Thank you - Michael

    "Strive for Progress, not perfection."

  • Paul Newcome
    Paul Newcome ✭✭✭✭✭✭

    That is correct.


    If Company B is building an API for Company A, a licensed user in Company A should generate the API token and provide that to Company B along with access to all items necessary.

  • MHalvey
    MHalvey ✭✭✭✭✭

    @Paul Newcome - Thank you again for the example. One final question - is there any security risk to that license user from Company A and their shared assets if they give the token to Company B for the build out. Meaning it's a general licensed user account shared with a lot of other assets besides the ones used for Company B. Company B cannot see or use any those other assets?

    Or is it best practice for this? Maybe create a new account and use a license just for this bridge to Company B from Company A? Seems like a waste of a license then, huh?

    Thank you again,

    Michael

    "Strive for Progress, not perfection."

  • Paul Newcome
    Paul Newcome ✭✭✭✭✭✭

    Technically Company B can access EVERYTHING attached to Company A's account regardless of what the person who generated the token has access to.


    There are always going to be security concerns when sharing access. That is why I always encourage "shopping around", very thorough vetting processes, and a competent legal department that can generate documents such as contracts, non-disclosure agreements, etc..


    I have even told potential clients that when they reached out to me. Of course I a little more professional about it, but I basically tell people "I'd be more than happy to take your money, but I want you to feel both comfortable and confident in our partnership."


    At the risk of getting on one of my soap boxes... Trust is a VERY important part of any business.

    (insert 4 more paragraphs after this that I deleted because I did end up on a soap box hahahaha)

  • MHalvey
    MHalvey ✭✭✭✭✭

    @Paul Newcome - No worries about the soap box. haha!

    Okay- so there is no best practice for this. Do make sure you have a NDA or contract put in place with Company B in our example.

    It also doesn't matter if I make the token as the Admin, or a general licensed users, or even if I made a new licensed user account just for this Company B integration - Company B could access everything attached to Company A's account in Smartsheet?

    And nothing in here (Smartsheet - Official API and SDK Documentation (redoc.ly)) and the OAuth Process / Developer section would limit Company B from full access?

    Again, I can't thank you enough for your time and feedback on this. I truly appreciate it all.

    -Michael

    "Strive for Progress, not perfection."

  • Paul Newcome
    Paul Newcome ✭✭✭✭✭✭

    "It also doesn't matter if I make the token as the Admin, or a general licensed users, or even if I made a new licensed user account just for this Company B integration - Company B could access everything attached to Company A's account in Smartsheet?

    And nothing in here (Smartsheet - Official API and SDK Documentation (redoc.ly)) and the OAuth Process / Developer section would limit Company B from full access?"


    Correct and Correct. Giving someone API access gives them access to EVERYTHING including user lists, data, items, permissions, licenses, etc.. It can all be managed via the API, and there is no way to restrict what can and can't be done within an API build or operation.

  • Genevieve P.
    Genevieve P. Employee Admin

    Hiya! Just jumping in here to help explain maybe in a different way.

    Think of the API Token as your Password Log In information.

    If you, on your account, give your password to someone else then they can log in as you and see all of the things that you have access to.

    If one of colleagues on their account gives out their password, then whoever has it can log in as that colleague and gain access to all of their data/information (restricted by what that colleague is restricted to).


    Think of API Tokens as "passwords" to your account. Instead of logging in from the User Interface (UI), the Token logs you into the API. Does that help?

    Here's the documentation with more information:


    Cheers,

    Genevieve

  • Paul Newcome
    Paul Newcome ✭✭✭✭✭✭

    @Genevieve P. Thanks for that. I was under the impression it was more of a "master key". I didn't realize it was limited to whatever the token generating account had access to.

  • MHalvey
    MHalvey ✭✭✭✭✭

    @Paul Newcome @Genevieve P. - Thank you both for chiming in. So then the final answer would be if I (Company A) create a new licensed user account and share two sheets with that new account. Then generate a "Raw API token" with that new account and give that Raw API token to the Company B. Company B can ONLY see the two sheets information and not the XXXX amount of assets, information, data, etc in Company A's Smartsheet account as describe below?

    "WARNING: If an unauthorized user gets a copy of this token, they will be able to access all Smartsheet data that you have access to, both to read and modify on your behalf."

    Thank you again for your time,

    Michael

    "Strive for Progress, not perfection."

  • Genevieve P.
    Genevieve P. Employee Admin

    Hi @MHalvey

    You are correct. If you give out an API token from a Licensed User on your account that only has 2 sheets showing when they log into the UI (Smartsheet), then the API will allow them to "access all Smartsheet data that [this account] has access to":

    In this case, it's the two sheets, and any other information that specific licensed user can see (e.g. the email addresses shared to the sheet, their Contacts, and so on).

    It would not give that person System Admin permissions for your whole Organization unless that Licensed user was also a System Admin. You can only do actions through the API that you can do logged in as that person in the Smartsheet UI. Meaning, an Editor on a sheet cannot move columns on that sheet through the API since that requires Admin permissions.

    You would essentially be giving an account to Company B. "Here's the login information for this licensed user." Whatever that licensed user can do, access, or update when signed in to Smartsheet, the API can do programatically using that Token.

    I hope that helps!

    Genevieve