Manage the user tokens for your own app connector
With an app connector, authentication is handled based on tokens, not user names and passwords. A token is a key that is valid for a combination of environment/app connector/user/device.
If a user starts using an external app, he first requests a token via the external app. You must set up an automated process for this yourself. However, you can manually add tokens to an app connector on an ad hoc basis. If it is no longer allowed to use a certain token, you delete it.
The automated process is as follows:
- The user requests a token using the app. The app sends along the API key of the Profit environment and the app connector.
- Profit checks whether the user is a member of the user group linked to the app connector. If that is the case, Profit sends an e-mail message with a password for single use to the user.
- The user completes the process by requesting a token using the one-time password (OTP).
- Profit verifies the password and sends the token back to the external app.
If a user can access an app connector using different devices, then he or she has a user token for each device for the app connector. You can delete all user tokens if the user no longer should have access. If you only want to block a specific device, only delete the corresponding token. You distinguish between the different user tokens of a user by entering a different (unique) description for each user token.
A user is using an app connector via an iPhone and an iPad. This means he has two user tokens.
The user informs you that he has lost his iPad. That is why you delete the user token of the iPad for the app connector. He still has access via his iPhone.
You cannot view the user token from Profit. If, for example, a user replaces his current device with a new one, he must request a new user token.