Select programming language for code examples

linkAuthorization

Access to certain resources is dependent upon a token bearer's role. Most of the time you will be authenticating as one of your users, which will allow access to a small subset of resources available to your account. In other cases, as when you are using a server-side integration, you may be authenticating as a product, or even an admin; in these cases, you will have access to a wider range of resources.

Resource attributes and relationships marked with a "protected" badge are only allowed to be specified if the authenticated bearer is an admin of the account, or a product that owns the resource. Attributes and relationships marked with a "read only" badge cannot be modified.

Many resource endpoints are automatically scoped according to the token bearer's role. For example, listing all licenses while authenticated as a product will only list licenses associated with that particular product. Attempting to access resources that the bearer does not have access to will respond with a 403 forbidden error.

Never hard-code authentication tokens within your client-facing product – doing so could leave your product open to major exploitations by allowing a malicious user the ability to fully manage your account's resources. The only time you should be using your admin or product token(s) directly is if you are working with Keygen server-side.

Here's a quick summary of the different authorization roles:

Role Administrator Authentication Authorization
None No No Unauthenticated users can create a new user profile (unless your account is protected), and validate license keys using the validate-key action. No other endpoints are accessisible to unauthenticated users.
User No Yes Authenticated users may access certain resource endpoints, but all resources that are returned will be scoped to their user profile, e.g. when a user makes a request to list all licenses, only the licenses which are associated with their user profile will be returned.
License No Yes Authenticated licenses may perform machine activations and deactivations through activation tokens. They may also validate the license. They cannot perform any other request.
Product Yes Yes Authenticated products may access resources for their account that are associated with that particular product. All resources that are returned will be scoped to the product, e.g. when a product makes a request to list all licenses, only the licenses which are associated with the product will be returned.
Support Agent Yes Yes Authenticated support agents may access some resources for their account. They can read the following resources: products, policies, users, licenses, machines. They can update the following resources: licenses, machines. They cannot delete resources.
Sales Agent Yes Yes Authenticated sales agents may access some resources for their account. They can read the following resources: products, policies, users, licenses, machines. They can create the following resources: policies, licenses, machines. They can update the following resources: policies, licenses, machines. They can delete the following resources: licenses, machines. They cannot delete any other resources.
Developer Yes Yes Authenticated developers may access all resources for their account, minus account billing information.
Admin Yes Yes Authenticated admin users may access all resources for their account.