I’d like to integrate the Mender API into my own application, but am unsure how the API tokens should be managed. The documentation shows how to get a token for a user using the /api/management/v1/useradm/auth/login endpoint but isn’t clear about what practices I should follow if I want to call the Mender API from my application.
If I pregenerate a token will it eventually expire? What is the recommended way of handling this? Should I bake my username/password into my application so I can regenerate tokens once they expire? Or is there a better way of handling this?
Hi @samlewis,
Not really my are my area but will try to cover the parts that I know,
Yes the generated token will expire and I believe it is valid for seven days, meaning that you will need to have a mechanism in place to refresh. I do not really know what the best practice is here and hopefully someone else might provide some insights.
Thanks @mirzak, would love to hear more about this from your team.
Still would love to hear more about this and what the road map regarding the Mender API is. Is integrating with the Mender API something that will be supported long term?
We potentially would like to integrate aspects of Mender into our customer facing application so, for example, customers (or maybe more likely, technicians) can see the version of their devices and trigger updates.
The API is something that we will maintain long-term and is part of our release process.
The API is versioned (/api/management/v2/devauth/, note the v2 here) and if we do any breaking changes we increment the version. We will keep multiple version around for a while and there is a process to deprecate and remove older versions but there must be a deprecation notice for at least one release cycle before we remove anything.