Skip to main content

Generate a delegation token

POST 

/sites/:siteId/delegationTokens

Creates a KMS-signed delegation token for a site. This endpoint requires ADMIN permission for the requested siteId. The returned token is sent on later API requests in the x-formkiq-delegation-token header and reduces the caller's effective permissions to the requested subset for that site. It cannot grant ADMIN, add permissions the caller does not already have, or add access to other sites. When onBehalfOf is supplied, activity created while using the token is attributed to that username while the signed token still records the ADMIN principal that issued it. The reason is signed into the token for audit and support traceability.

Request

Path Parameters

    siteId stringrequired

    Site Identifier

Body

required

    permissions DelegationTokenPermission (string)[]required

    Permissions to keep while the delegation token is applied. These must be a subset of the caller's current permissions for the site and cannot include ADMIN.

    Possible values: [READ, WRITE, DELETE, GOVERN]

    onBehalfOf

    object

    User identity to store in the signed delegation token.

    username stringrequired

    Username to use for activity/audit attribution when the delegation token is applied.

    Possible values: non-empty and <= 256 characters

    reason stringrequired

    Reason the delegation token is being generated. Stored in the signed token for audit/support traceability.

    Possible values: non-empty and <= 1024 characters

Responses

200 OK

Response Headers

  • Access-Control-Allow-Origin

    string

  • Access-Control-Allow-Methods

    string

  • Access-Control-Allow-Headers

    string

Schema

    headerName string
    Example: x-formkiq-delegation-token
    delegationToken string

    Signed token to send in the x-formkiq-delegation-token request header.

Loading...