Anonymous Access from Client Apps

You can't use app management token from client apps for security reasons. Therefore to support serverless apps, Whisk provides alternative mechanism

Note: For browser applications you need to provide list of domains which will be whitelisted

Client application can request short-lived token to access API and keep reference for user

curl "" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d '{ "client_id": "<YOUR-APP-ID>", "grant_type": "anonymous" }'

Example response:

{ "access_token": "Xb609ErrcoRNwll9wwxbk70OxFrbxEOu8Ui8ZzV4yJDA9RvLRGFhlMAAfkP2OmSS", "expires_in": 86400, "token_type": "Bearer", "refresh_token": "oS1437tty6buHTef0VGkXgcR7PvOt2DDUntSjWaCtDqJX8osK7d3Mip38NjpJdTH" }

Then access_token from response can be used for communication from client app. This Access Token is bound to specific userId in Whisk Platform

You should respect expires in time in seconds. For short-lived tokens it is usually 1 day. If you try access resource with expired token, you will get response with 401 code and following body:{"description": "The Access Token expired;","code":"user.tokenExpired"}. In this case you can use refresh token to request new Access Token which will be bound to the same user.

curl "" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d '{ "client_id": "<YOUR-APP-ID>", "grant_type": "refresh_token", "refresh_token": "oS1437tty6buHTef0VGkXgcR7PvOt2DDUntSjWaCtDqJX8osK7d3Mip38NjpJdTH" }'

This will provide new AccessToken