Access Token permission levels

It would be great if we could generate a “limited” access token that would allow to only read variables and call methods, but not flash the core and reconfigure wifi settings, etc.

If I have a website (or app) that talks to a bunch of cores to get data from them, I would like to not have to worry about someone hacking the site, getting hold of “the” access token and wreaking havoc by flashing the cores with malicious code.

Is this something that has been considered by the Spark team? Are there alternative approaches one can use to safeguard the cores from unauthorized use?



This is indeed in the pipeline but not yet implemented. This is definitely a feature a lot of users want

1 Like

Cool! Thanks for being on the ball guys!

Great, I will be so happy when this is implemented, glad to hear it’s in the pipeline!

We teach Spark to kids, and it’s much easier to limit the API calls to just browser-based ones. No way to hide the access token in this case.

Another way you could implement this is to allow Spark functions and variables to be registered as allowing anonymous access. This could be done by specifing a parameter that indicates that this function / variable can be called / read without an access token.


Spark.function("ringDoorBell", ringDoorBell, TRUE);

This would allow this API call to work with no access_token parameter:

curl -d params=Short -g

I believe such a feature is also on the “to do” list. We were talking about it sometime last month IIRC

1 Like