Access Tokens

An access token is a credential that an application uses to identify itself to the GraphQL API. By presenting an access token, the application indicates that it’s acting on behalf of a user (or of the application itself).

Tokens should be treated as secrets and kept confidential in transit and in storage. An application should never present a token to a user or store it in a user-visible lcoation. Tokens should only be transmitted over secure connections like HTTPS/TLS.

Token types

User tokens

Warhorn issues a user token when a user authorizes an application to use the Warhorn API on their behalf. Each user who authorizes an application has their own token, and any API call that includes a user token is performed in the context of the permissions granted to that user as e.g. a subscriber, an event registrant or a member of an event’s staff. For example, consider a query for event schedule information. If the user is not registered for the event, the API response will never contain any player or character names. However, if the user is registered for the event, the API response may include player or character names if the query included them. Consult the GraphQL schema for specifics about the permissions that are required for various operations and fields.

An application can obtain user tokens using Warhorn Login. When a user logs into your app using Warhorn Login, the app will receive a user token and can use it for all subsequent API calls made on behalf of that user. The app MUST discard the user token when logging out the user and request a new one when next logging in the user.

Application tokens

Warhorn issues an application token to each application registered to use the Warhorn API. This token is not tied to any specific user. As such, an application has the same effective set of permissions as a user who is not logged into Warhorn. In practice, this means that an application using an application token can only execute queries and mutations and return fields that are accessible to the public at large.

You can find the application token for an app you have registered with Warhorn in your account settings.

You can also send a token request to exchange your app’s client ID and secret for its application token.

Token expiration

Warhorn does not currently expire access tokens. However, we reserve the right to implement expiration in the future. Should we do so, we will provide an API endpoint for refreshing expired tokens.

Reference

oauth.com has a great detailed explanation of how access tokens are used in OAuth.