Skip to main content
NICE CXone Expert
Expert Success Center

Authorization Tokens

Expert uses different types of tokens for API access and authorization.

Token Attributes

  • All tokens are scoped to and unique to a site
  • Can be a single string value or multiple string values, such as key / secret pairs
  • Token string values can be up to 255 characters long

Supported Tokens

  • Auth Token - Represents an authenticated user identity on a site
  • Browser API Token - Allows browser integrations that call the API to execute on trusted domain names
  • Server API Token - Allows server applications to call the API

Auth Token

Auth Tokens (often stylized as authtoken) are set as HTTP cookies in a user's web browser after authentication. Auth Tokens are generated by a site and are cryptographically signed to prevent tampering.

Browser API Token

Browser API Tokens are sent from a website, web application, or simply anything that runs in a web browser to the API. Implementations with Browser API Tokens are written in web browser executable languages such as JavaScript.

Normally, web browsers such as Google Chrome or Mozilla Firefox do not allow JavaScript applications running on one website to access data from another. Browsers block cross-origin requests and responses due to the security issues it can cause, especially if one website's JavaScript application uses the cookies of another website to impersonate a user's identity for nefarious purposes. However, a website can declare which third party websites can securely access its data using Cross Origin Resource Sharing (CORS). Browser API Tokens allow developers to implement CORS in a safe and secure manner. In addition to CORS, Browser API Tokens also allow same origin API access from JavaScript executed in content on a site to the same site's API.

A Browser API Token has no specific user permissions for the API to determine which operations are or are not allowed. User permissions are determined by the web browser session's authtoken HTTP cookie. If the user accessing the integration has not signed in to the site, then the API considers the user to be an anonymous user

Authorizing web browser integrations with the MindTouch API
Authorize integrations between the MindTouch API and websites, web applications, Google Chrome apps, or simply anything that runs in a web browser.
Pages: 2

Server API Token

Server API Tokens are used to create integrations between a server application, IoT, bots, or anything that can communicate over HTTPS, and the API. Implementations with Server API Tokens are typically written in server executed languages such as C#, Java, JavaScript (Node.js), Python, Go, and PHP. The token consists of a key and a secret which are used to sign API requests, allowing valid requests through and rejecting invalid or expired requests. The token secret is meant to be kept in a secure place, and should never be shared or sent across the internet in plain text.

Authorizing server integrations with the MindTouch API
Authorize integrations between the MindTouch API and server applications, IoT devices, bots, or anything that can communicate over HTTPS.
Pages: 2

OAuth API Token

While Server API Tokens provide a developer with the ability to connect applications and devices to the API with unlimited permissions, under some scenarios this level of access control is inappropriate for a developer. Examples include integrations between the API and a third-party service, on behalf of the organization deploying CXone Expert. By implementing OAuth 2.0 authorization flows, OAuth API Tokens allow users to authorize which applications or devices can access their user identities and allowed operations such as reading and writing content. OAuth API Tokens can be safely given to third-party developers, without the concern of handing over site administrator access.

Authorizing OAuth 2.0 integrations with the MindTouch API
Integrate MindTouch users with server applications, IoT devices, bots, or anything that can communicate over HTTPS using an industry-standard authorization framework .
Pages: 2

Identity Token Exchange

Exchange an identity token for a session based on a mutually trusted identity provider.  In the event that the user is not pre-existing within the Expert system, they will be provisioned on a just-in-time basis. Read additional steps to configure and review technical specifications. 

Legacy Tokens

  • Impersonation Auth Token - A legacy token that was used in a deprecated custom Single Sign-On flow
  • Site API Key - A legacy token that elevated API access permissions

Legacy token integrations implement weak security practices and should be avoided.

Support for legacy tokens is limited. Site API Keys were secret string values that were transferred to the Expert API as an HTTP header or query parameter. As a result, there are several vectors to compromise the Site API Key, leading to abuse or breaches. Impersonation Auth Tokens were a token signature format, signed by the Site API Key, that allowed an integration to generate an Auth Token for whichever user identity the integration required. 


  • Was this article helpful?