Can I REST post to a device ID outside of my access token?

A friend and I just got our own Photons and we were wondering. Is there any way to send requests across access tokens?

As in, can I (with access token 123 and device ID abc) send a message to his Photon (with access token def and device ID 456)?

Given the internet LED example this would look like: <form action="https://api.particle.io/v1/devices/def/led?access_token=123" method="POST">

1 Like

I hope not. That would defy the whole purpose of securing these things with access tokens. Their sole purpose is to only allow the true owner to acces things. If anyone would be able to access everyone’s device, there’d be no need for access tokens.

That said, if you could elaborate on what you’re trying to achieve as the endgoal, we might be able to offer viable alternatives.

1 Like

I agree that security is important, but white-listing access tokens would be nice. From the same security idea though, giving away access tokens is like giving away your house keys. I would hope there is some middle ground where I could cross communicate.

Maybe I just have to write my own server code to host the authentication.

You should be able to interact if you supply each other with a temporary or permanent access key.
Check out this tutorial from the docs:
https://docs.particle.io/guide/getting-started/examples/photon/#the-buddy-system-publish-and-subscribe

2 Likes

Exactly what I needed. Thanks!

That will be visible to everyone though.
So if its sensitive data, you will need to encrypt it (and everybody can send fake data if not).

Depending on what you’re trying to do, publish() and subscribe() might also work.

Yeah, it would just be for a fun house to house thing. If I did want to encrypt it, is there an encryption library for the Photon? Can I use Arduino ones?

Sorry for the n00b question, I haven’t gotten a chance to actually do anything with mine yet.

Theres a few C/arduino encryption libs out there, would be nice if the photon exposed some of the functions used for cloud encryption already, but thers plain C implementations of TEA/AES.

TEA is very small, but as the wiki says not bullet proof, but good enough for playing around.

However the docs mentions you can limit a subscribe to a single device, wonder if that works if the device is not yours, that way you would offload the job to particle to make sure only that device can send messenges.

Spark.subscribe("motion/front-door", motionHandler, "55ff70064989495339432587");

1 Like