👤 User-based Tokens

When you generate a token using the procedure outlined in our quick start tutorial, that token is tied to the specific user that you logged in with to grant API access to the application. This is known as a user-based token, in contrast with library-based tokens, which can be generated by users for authorised third-party apps.

Permissions

This type of token allows the application to interact with the Apicbase API exclusively on behalf of the associated user. Any actions performed with this token are executed as though the user themselves is performing them. For instance, editing a recipe will record that user's name in the 'Modified By' field.

Also importantly, applications using these tokens are subject to the same permission rules as the user associated with the token. Therefore, the user who generates the token must have the necessary permissions to perform a specific action, or the API will return a 403 Forbidden error. This is in addition to the application's own authorised scopes.

For example, to create a recipe, an application must have the products scope and the user associated with its token must have the "create recipe" permission.

Library-based tokens are not subject to these rules and will always have the same permission set as a library user with admin privileges (but still bound by their authorised scopes).

Switching Libraries

Another consequence of using user-based tokens is that the application operates within the currently active library of the associated user. If the user switches to a different library, the application will also begin operating in that library, which is typically not the intended behavior.

A user's active library is the one that is shown by default when you go to apicbase.com, and the one that's highlighted when you click the dropdown arrow on the top right:

If you would like your application to always operate on the same library and not on a user's active library, consider some alternative solutions.