Authorization when invoking device cloud functions in product

I have created a particle product. The devices talk to the backend via events and integrations. Sometimes the backend needs to invoke a function on the device. The devices are not owned by the same account. How can I invoke a cloud function from the backend? Can I use a single administrator token or do I need to store tokens for every owner? Or am I going about this completely wrong?

In a product there are two types of access tokens: customer/user tokens, which are typically associated with a device, and product bearer tokens, which apply across the product.

For products, both the customer token and product bearer token can be used to call functions on the device. There are two separate use cases for this:

  • A mobile app that is signed into the customer account may want to directly control the device using the Particle API instead of a front-end service. The customer token can be used for this.
  • A front-end app managing an entire product can use the product token to call a function on any device in a product using the product token.

There’s are also two other possibilities:

  • A product can claim every device to a single account. This is more common with cellular devices, because there’s no need for a mobile app to configure Wi-Fi.
  • A product can leave the devices unclaimed. There are caveats to this, most notably the device cannot receive private events. However, it can receive function calls authenticated by the product bearer token.

A side note: The product event stream is unidirectional from the device to the cloud. If you need to send private events to a device it has to be claimed, and you need to use a device owner token, not the product token. This could either be the token that was actually used to claim the device, or as the product owner you can generate customer impersonation tokens for this purpose. Of course this is also simpler if you claim every device to a single account, since you only have to deal with one token.

Thanks for your answer. This case most resamples what we are looking for.

When searching the particle website I can not find a “product bearer token” mentioned anywhere. Where is this documented?

This should help explain the product bearer token