I'm currently on GoodData 3.8. I have created a personal access token with id "my.pat" assigned to my user "pete.lorenz". I'm trying to understand if I can retrieve this token from the API after it's created if I have the organization admin token. The Swagger seems to suggest that it's possible if I call the apiTokens API:

curl --location '<https://ORG_URL/api/v1/entities/users/pete.lorenz/apiTokens/my.pat>' \
--header 'Authorization: Bearer ADMIN_TOKEN' \
--header 'Content-Type: application/vnd.gooddata.api+json'

The Swagger says I should have a response with the bearerToken in it such as:

{
  "data": {
    "attributes": {
      "bearerToken": "string"
    },
    "id": "id1",
    "type": "apiToken"
  }...
}

However, I get a 200 response with empty attributes like this:

{
    "data": {
        "id": "my.pat",
        "type": "apiToken",
        "attributes": {}
    }...
}

Am I misunderstanding how this API should work?

Hi Pete, it is not possible to get the actual value of the bearer token as it is hashed for security reasons. But I found this old thread were some ideas were proposed, I hope you find it helpful! https://gooddataconnect.slack.com/archives/C01P3H2HTDL/p1691043561200609

Thanks, Moises. This makes sense, just note that the swagger suggests that the value is retrievable. We're looking at this functionality as a way to make API calls through GD SDK from the context of a user whose signed in via oauth2. Perhaps there's a better way to do this but we need some token or security context to make the API calls.

Hi Pete, thank you for pointing out this error in our documentation. I will pass the feedback to our documentation team so it can be corrected. As for the way of "getting" a token, the hash value is only displayed once when it is created for better security. However, as a workaround, you could create a new temporary token for the target user, parse the hash value, do the action and then delete it straight way. An example of how this could be done would be the following:

temp_token=$(curl --silent --no-progress-meter --request POST -H 'Content-type: application/vnd.gooddata.api+json' \
    -H 'Authorization: Bearer ADMIN_TOKEN' \
    -d '{"data":{"id":"temp.token","type":"apiToken"}}' \
$HOST_URL/api/v1/entities/users/some_user/apiTokens | jq -r .data.attributes.bearerToken)

curl --no-progress-meter --request GET -H 'Content-type: application/vnd.gooddata.api+json' \
    -H "Authorization: Bearer ${temp_token}" \
$HOST_URL/api/v1/entities/workspaces/workspace_id/visualizationObjects | jq .

curl --no-progress-meter --request DELETE -H 'Content-type: application/vnd.gooddata.api+json' \
    -H "Authorization: Bearer ${temp_token}" \
$HOST_URL/api/v1/entities/users/some_user/apiTokens/temp.token

Please note, that the second

curl

is just an example of a call/action to get visualization objects which is executed as

some_user

for which the temporary token has been created and deleted with the 3rd call. Regarding your note about using GD SDK, did you mean the React / UI SDK? If so, then perhaps the following page: https://www.gooddata.com/docs/gooddata-ui/latest/learn/integrate_and_authenticate/ and its subpages might be what you are looking for?

Thanks Branislav. We are using both Python and React SDK's and will need to authenticate through both. Will read the docs and get back with any questions. Thanks again!