Likely this conversation has occurred many times and I just couldn't find it while searching. Please link a conversation if one already exists
The Goal:
The end goal for this project is to allow users to access a website where they can make particle function calls to update their devices (setVoltage(), setCurrent(), etc.) Each client can have many devices and they need to be able to update each one separately.
The Problem:
I'm not sure where to even start this. I'm new to the Particle game. I've read through many of the docs but just need a good starting place.
What would be the best way to set this up?
Is there a way for a client to have a product API that allows them to access all their devices for simple put and get functions?
I want to start this process correctly so I don't have to redo everything in a few months.
How are the users planning on controlling their devices? Mobile app, web site, or both? In general, we recommend doing all of the customer-centric operations from your own back-end server, with your own authentication, and making API calls from your server on behalf of your customers, since you presumably know which users have access to which devices. You basically have a super-token on your server that can access all users, eliminating the need to maintain many tokens.
It is possible to create customer tokens, but we don't recommend doing this because it will add a great deal of complexity to user and device setup. While this does allow the user to make direct calls to the Particle API for their devices, you'll still need to have a server in order to manage which users are associated with which devices, and also things like password reset. So the perceived simplicity isn't really any simpler. Also it means that your mobile or web developer will need to be well-versed in Particle token management, instead of general web authorization techniques.
To answer your first question no, the users will not be directly controlling their device. They will be interacting with a website that allows them to schedule changes, and these requests get saved and processed either as they arrive or at a specified time.
I have not heard of this "Super-token". If I have this, can I use it to make any API calls to any device? Does using a key that has access to all possible user devices raise any security concerns?
I was planning on keeping key - client pairs in a table in our database, but if I don't have to make a query for each client every time a request is made that would be very handy.
You'll create a product to group all of the devices from all of your customers.
For the product, you can create an API user for your server. This determines which features your server will be able to access on behalf of your customers. If you really only need function calls, you can make an API users that only has access to that.
Of course you still need to protect the token because it will have access to every user's devices, but as long as it's on your server and not in client Javascript, you should be fine.
As Rick mentions - API users are the preferred and most secure method to interact with the Particle API - you scope the token with the least amount of access, so if it ever leaks, the damage is minimal.
Manage the token on your end, and have customers interact with your backend instead of directly to Particle - among other things this allows you to log interactions etc. which is useful for troubleshooting.