Trongate Docs
switch to dark modeswitch to dark mode
Understanding API Authorization

Understanding API Authorization

Trongate handles authorization by use of an in-built token security system that comes with the framework.  Before moving forward with API authorization, it's highly recommended to read the Authorization and Authentication chapter of these docs.  Doing so, will clarify what things like 'roles' are and also how token authorization works, with Trongate.

With the assumption that you have familiarised yourself with that material, let's explore how Trongate handles API authorization.

What is API Authorization?

The phrase "API Authorization" refers to the business of making API endpoints only accessible for users who have permission.  Trongate offers six different API authorization methods.  They are:

  • Wide Open Authorization - this is a setting that makes an endpoint accessible for everyone, regardless of whether or not they have logged in.
  • Role Based Authorization - this is a type of authorization that allows access based upon a user's role.  A 'role', is a 'level_title' value, as found on the 'trongate_user_levels' database table.
  • ID Based Authorization - is a type of API authorization that allows access to users whose Trongate User ID exists inside a pre-defined array of permitted Trongate User IDs.
  • User ID Segment Authorization - looks at a given URL segment and grants access if the user's Trongate User ID corresponds with the value passed via the URL.
  • User Code Segment Authorization - looks at a given URL segment and grants access if the user's Trongate User Code corresponds with the value passed via the URL.​
  • User Owned Segment Authorization - is a type of authorization that grants access if a record ID, passed via the URL, is found to be from a record that belongs to a particular user.

In order for API authorization to work, at least one of the authorization mechanisms above must be declared - for the given endpoint - inside an api.json file.  It's possible, and even normal, for an endpoint to have multiple types of authorization rules in place.  When that happens, the end user only has to pass one of the given authorization tests to be granted access.  

Just To Let You Know
Each of these authorization mechanisms above (with the exception of 'Wide Open Authorization') relies on the end-user having a valid Trongate security token attached to the header of a given HTTP request.

Top Tip
Learn how to easily generate valid Trongate security tokens, in JavaScript,  here.

Coming Up Next

Before exploring each of these authorization mechanisms, let's clarify how to attach Trongate security tokens to our HTTP requests, in JavaScript.


If you have a question or a comment relating to anything you've see here, please goto the Help Bar.