I’m developing an application with Particle devices where multiple users need to interact with the same device. Each user receives access to the devices they need, and this access may be revoked at any time.
I can obviously do this with my own server which manages user accounts and also makes all Particle API calls to control devices when requested by users. But this feels inefficient. If possible I would like to use the two-legged authentication implementation and a nice webapp with ParticleJS. The problem is I can’t find a way to generate a per-device access token, it seems that for a Customer to communicate with a Particle device they must first claim the device to their account and then they can use their access key.
Is there any way to generate an access token that allows a customer to interact with a device that hasn’t been claimed to their account?
Or is what I’m trying to do impossible and I have to go for the inefficient approach?
The way to achieve what you want would be to create a product with a product bearer token rather than a user based token. The product does not need to have an owner but can have a single organisation owner if you really want one.
Access to the device can be shared by controlling access from a web app where the web app determines whether a specific user has the authority to interact with a specific device. As you have described except this is not inefficient - having multiple access tokens would be inefficient and less secure.
Welcome!! I am sure you will have a great time using Particle and this forum, there are some really clever and helpful guys in here.
@armor already gave you some solid advice, so I will just put in my 2 cents worth;
I have had similar situations but controlled access to the device from the UI side as apposed to try and do this on the device in some way. It just made sense as I figured it will be easier to change access permissions on the UI than on device. I agree with @armor having multiple access tokens for a single device would be less ideal, if even possible, honestly not sure.
Suppose it all depends on how these clients will interact with the device? My apologies if I am missing something obvious,