If you’ve found an error, spotted something missing, or feel a section could be clearer or better explained, we’d love to hear from you. Your feedback helps keep the documentation accurate and useful for everyone.
Please report issues or suggest improvements on GitHub. Community input is invaluable in making the docs stronger.
Not comfortable with GitHub? No problem — you can also get in touch with us directly via our contact form. We welcome all feedback.
Attaching Tokens to HTTP Requests
Overview
When interacting with Trongate API endpoints, it is essential to include the Trongate token in the HTTP request headers for authentication. This ensures that the server can validate the user's identity and authorize access to protected resources. Below are demonstrations of how to attach a Trongate token to HTTP requests using JavaScript, specifically with XMLHttpRequest and the modern Fetch API.
Note: The Trongate token should be included in the trongateToken header for all authenticated requests. Ensure that the token is securely stored and transmitted over HTTPS to prevent unauthorized access.
Using XMLHttpRequest
The XMLHttpRequest object provides a traditional way to send HTTP requests in JavaScript. Below is an example of how to attach a Trongate token to the request headers using this approach:
Explanation
- targetUrl: Replace this with the actual URL of the Trongate API endpoint you wish to interact with.
- token: Replace this placeholder with the actual Trongate token generated for the user.
- setRequestHeader: The
trongateTokenheader is explicitly set to include the token for authentication. - onload: This event handler processes the server's response once the request is complete.
Using Fetch API
The Fetch API offers a more modern and promise-based approach to making HTTP requests. Below is an example of how to attach a Trongate token to the request headers using the Fetch API:
Explanation
- targetUrl: Replace this with the actual URL of the Trongate API endpoint you wish to interact with.
- token: Replace this placeholder with the actual Trongate token generated for the user.
- headers: The
trongateTokenheader is included in the request to authenticate the user. - Promises: The
Fetch APIuses promises to handle asynchronous operations, making it easier to manage responses and errors.
Developers who are using Trongate MX are advised to use the 'mx-token' attribute to automatically add token data to HTTP requests. For more information, click here.
Fetching Tokens from HTTP Headers Using Pure PHP
In server-side PHP code, tokens sent via HTTP headers can be accessed directly using the $_SERVER superglobal. For example:
In the code sample above, a $token variable is assigned the value of a 'Trongate token' passed via an HTTP request header. If no such header is found, the $token variable will be assigned a boolean value of false.
Accessing token data from the header via the $_SERVER superglobal does not confirm whether the token passed via the header is valid.
To validate token data, refer to the token validation documentation for guidance on using the Trongate Tokens class.
Security Considerations
When attaching tokens to HTTP headers, keep the following security considerations in mind:
- HTTPS: Always transmit tokens over HTTPS to encrypt the data and prevent interception by malicious actors.
- Token Storage: Store tokens securely on the client side. For web applications, consider using secure cookies or session storage to minimize exposure.
- Token Expiry: Ensure that tokens have a reasonable lifespan and implement mechanisms to refresh or regenerate them as needed.
- Error Handling: Implement robust error handling to detect and respond to failed authentication attempts or expired tokens.