Generate a delegation token
POST/sites/:siteId/delegationTokens
Creates a KMS-signed delegation token for a site. This endpoint requires ADMIN permission for the requested siteId. The returned token is sent on later API requests in the x-formkiq-delegation-token header and reduces the caller's effective permissions to the requested subset for that site. It cannot grant ADMIN, add permissions the caller does not already have, or add access to other sites. When onBehalfOf is supplied, activity created while using the token is attributed to that username while the signed token still records the ADMIN principal that issued it. The reason is signed into the token for audit and support traceability.
Request
Path Parameters
Site Identifier
- application/json
Body
required
Permissions to keep while the delegation token is applied. These must be a subset of the caller's current permissions for the site and cannot include ADMIN.
Possible values: [READ, WRITE, DELETE, GOVERN]
onBehalfOf
object
User identity to store in the signed delegation token.
Username to use for activity/audit attribution when the delegation token is applied.
Possible values: non-empty and <= 256 characters
Reason the delegation token is being generated. Stored in the signed token for audit/support traceability.
Possible values: non-empty and <= 1024 characters
Responses
- 200
- 400
200 OK
Response Headers
Access-Control-Allow-Origin
string
Access-Control-Allow-Methods
string
Access-Control-Allow-Headers
string
- application/json
- Schema
- Example (from schema)
Schema
x-formkiq-delegation-tokenSigned token to send in the x-formkiq-delegation-token request header.
{
"headerName": "x-formkiq-delegation-token",
"delegationToken": "string"
}
400 Bad Request
- application/json
- Schema
- Example (from schema)
Schema
Array [
]
errors
object[]
List of errors
Error Key
Error Message
{
"errors": [
{
"key": "string",
"error": "string"
}
]
}