API tokens for broker user authentication?

It says: “The API Aspect … can be a very effective way to interact with … software such as TopCat.”

In the Lasair project, we are thinking that a Data Rights user can log in to the Portal, get their API token, then lodge the token with their User Profile on Lasair. Then Lasair will be able to fetch data on their behalf, and provide URLs to that data that includes the token. Is this a viable model?

@roy, this is a great question and I’ve moved it to a new topic in the Support category to ensure we get you an answer. I’ll bring this to the attention of the RSP team and will be able to get back to you by Fri Aug 18 at the latest.

Side note, “it says” refers to the 23A Users Committee Report.

1 Like

Would also be nice to know how to use the portal to create the right sort of token … is this the right form for the user?


Sorry the alert brokers are not an RSP service so I am not sure what their auth arrangements are - @ebellm can advise.

A token with the read:image and read:tap capabilities should be able to be used by Lasair to query the VO services provided by the RSP. But I would never include the token in plain text in a URL. If you are going to provide data via URLs, I think you either need to ensure authentication or sign the URLs (and limit their usage time).

Oh i failed my reading comprehension test. Sorry. You meant broker as in to intermediate.

Yes you can use those tokens to get data from our API services on behalf of a user. Your system has to be able to ask the user to provide their token, store it securely, and then use it appropriately.

@roy I’ve marked @frossie 's answer as the solution here, but let us know whether that does in fact answer your question?

FYI: Here is the documentation on how to use a token with TOPCAT in case it’s useful to anyone