Using the WATS rest API to create API tokens will be removed in WATS version 2025.3.
WHY?
Creating tokens with the GET api/auth/GetToken rest API used to be the only way to create tokens for authenticating with the rest API. WATS version 2021.1 introduced the Tokens page in the Control Panel, which shows a list of existing tokens and allows more configuration, including revoking the tokens.
Due to security concerns, the GET api/auth/GetToken and GET api/auth/GetToken/{identifier} rest APIs are being removed with the release of WATS version 2025.3.
WHAT IS THE IMPACT FOR YOU AS A CUSTOMER?
The main use of this rest API might be to distribute a program with one shared token that is used to provision each instance of the program with its own token.
- If the program stores this token for next time and does not "reset" its token on each run or at startup, existing instances will continue to work.
- New deployments, or programs that uses the shared token to fetch a rest API token each time, will stop working. These must be deployed along with their own token created with the Tokens page in WATS.
NOTE: Multiple instance of the same program can use the same token, but there is a limit to how many requests one token can make to WATS per minute, so too many instances sharing the same token could cause problems. Also shared tokens have larger impact if the token is leaked and must be revoked.
HOW SHOULD YOU PREPARE FOR THIS?
Programs that rely on the GET api/auth/GetToken rest API must be updated to handle getting an error response and continue working by reading a valid token from somewhere local instead.
Comments
0 comments
Please sign in to leave a comment.