API Key mod

Enable Decko users to perform authorized web requests associated with their account without a session.

Cards with codenames

codename default name purpose
:api_key *api key key for authenticating/authorizing API usage

Sets with code rules

[account card]+:api_key

This is where the API key is stored. By default it is visible to and editable by the account holder and to users with the “Help Desk” role.


event name when purpose
generate_api_key triggered creates a new, random key
validate_api_key on save ensures content is comprised of 20+ alphanumerics (only)


view name format purpose
core HTML show key to permitted user and provide form to generate new one
generate_button HTML button for generating new API Key
token_link HTML links to json view returning a JWT token
token JSON return a JWT token for rapid authentication

[accounted card]+:account


view name format purpose
api_key HTML nests api_key card


Extends Card::Auth.signin_with to accept api_key: myapikey

API Usage

API users can add the api_key param to query strings or to request headers. Or, for faster authentication, they can use their api key to get a JWT token. Card sharks can provide a link for this token with the token_link view (see above). The token can then be passed via the token param. By default tokens last for two days. This can be configured in application.rb or environment config files using config.token_expiry.