Artificial Intelligence Corporate Risk
  • Welcome
  • Getting Started
    • Inviting Users
    • Adding New Large Language Models
      • Azure OpenAI Service
      • OpenAI
      • Mistral
      • Google AI
      • LLaMA AI
      • AWS Bedrock
  • Chat
    • Initiating a Chat
    • Viewing Chat History
  • Dashboards
    • Creating Dashboards
    • Dashboard Elements
      • Top N
      • Charts and Graphs
      • Totals
      • Maps
  • Monitoring
    • Adding a User to the Monitor Role
    • Setting up alerts and issues
    • Editing Issues
  • Compliance
    • Adding a User to the Compliance Role
    • Creating a Search
    • Consuming the Results
  • Admin
    • AI Agents
      • Adding a New Agent
        • General Settings
        • Agent Engine Properties
          • Azure OpenAI
          • OpenAI
          • Mistral
          • Google AI
          • LLaMA AI
          • AWS Bedrock
        • Advanced Settings
          • Usage
            • Max Messages
            • LLM Temperature
          • Scanners
            • AI Scanners
            • General Scanners
          • API Keys
          • Files
      • Editing an Agent
      • Deleting an Agent
      • Adding from a Template
    • Company
      • General Information
      • External Agent Provider Settings
    • Custom APIs
      • OAuth2 API
      • Adding a New API
        • API Information
        • API Headers
        • API Endpoint Parameters
        • API Query Parameters
        • Body Parameters
      • Editing a Custom API
      • Deleting a Custom API
    • Custom Database
    • Users
      • Inviting a New User
      • Deleting a User
      • Roles
        • Accessing User Roles
      • Assigning an Agent
      • Setting a Default Agent
    • Groups
      • Adding a New Group
      • Deleting a Group
      • Assigning a User
      • Removing a User
      • Adding an Agent
      • Removing an Agent
    • Agent Scanner Defaults
      • Toxicity
      • Personal Information
      • Topic Scanner
      • Prompt Injection Detection
      • Regex Scanner
      • Geographic Gating
      • Language Detection
      • Allowed File Types
    • Logs
      • Interpreting Logs
  • Server Admin
    • Upgrade
    • Default Agents
      • Adding a New Agent
    • Data Archive
    • API Access
      • Chat
        • List Agents
        • Create Conversation
        • List of Conversations
        • Get Conversations
        • Ask Agent
        • Chat with Agent
        • Add File to Conversation
        • Add Files to Agent
        • Deleting a File
      • OAuth2
        • OAuth2
        • OAuth2 Token
      • Users
        • List Users
        • Create User
        • Add User to Group
        • Set User Token
        • Delete User
      • How to Launch Our API Example
        • How the Code Works
    • Configure OAuth2
    • Custom Secrets
  • API Overview
    • Authentication
    • Calling the Scanner
    • Consuming the Results
    • 📃Pagination
      • Understanding API Parameters
      • Pagination Helper
      • Example Page
      • Recap
    • AIRisk API OAuth2 Authentication
      • Authorization
      • Authorization Endpoint
        • Example Authorization URL
        • Error Responses
      • Tokens
        • Error Handling
        • Generic vs. User-Specific Tokens
          • Example Usage Flow / Reasons
        • Usage of the Access Token
      • Token Endpoint
        • Example Token Request
        • Error Responses
      • Summary of OAuth2 Authorization Flow
  • Managing Your Account
    • Personal Data
  • Support
    • Onboarding Check List
  • Internal Deployment
    • Outlook Plugin
    • Firewall Rules
    • Infrastructure
    • Graph Connection Requirements
    • Zoom Transcripts
  • Example Python Application
  • Release Notes
    • V4.28
    • V4.12
    • V4.0
    • V3.71
    • V3.0 Beta
    • V2.23
    • V2.22
    • V2.120 HotFix
    • V2.103 June 1
Powered by GitBook
On this page
  1. API Overview
  2. AIRisk API OAuth2 Authentication
  3. Tokens

Generic vs. User-Specific Tokens

When using the AIRisk API’s OAuth2 flow, you have the flexibility to obtain tokens that are (conceptually) either generic (not tied to any user) or user specific. The difference comes down to whether you supply the optional userid parameter in the flow:

  1. Generic Access Tokens (Application-Only, not attached to particular ApplicationUser although retrieved using credentials from valid APIUser): If you do not include userid in the authorization and token requests, the resulting access_token represents your application itself, not any particular user. These tokens are useful for accessing endpoints or performing actions that are not user specific.

    • For example, accessing public data or using client-wide privileges. The token is still scoped to what your client application is allowed to do, but no specific user's data is directly implicated. In practical terms, when your app uses this token, the AIRisk API will see the request as coming from your application in a general context, only identifying the client by client_id which is tied to an APIUser in which may be used via arbitrary ApplicationUser instances.

      • In our case, one may access /api/Users/ListUsers if using a generic token as the bearer token in the HTTP headers. In this case, one may fetch the list of known user ids and then select one with which to further log in as.

  2. User-Specific Access Tokens (On-Behalf-of User): If you do include a userid in the requests to /api/oauth2 and /api/api/oauth2/Token, the flow will produce a token associated with that user. This typically means the user has explicitly authorized your app to act on their behalf. The token carries the identity or context of the specified user. Use these tokens to access or modify data that the user has access to in the AIRisk API.

Important distinctions:

  • A generic token might grant only limited, generic scope access, whereas a user token can grant permissions to read or write to database tables which they can access.

  • You cannot use a generic token to access user-specific endpoints that require a user context. Similarly, a user-specific token only grants access to the scope of their existing access; you would need separate tokens for different users.

    • However, you may use an a user-specific access token to access any endpoints accessible via just a generic token.

  • The userid parameter should be treated carefully. The user must correspond to an actual ApplicationUser in the AIRisk system, and the authorization server will not ensure that the person approving the request is that user, and therefore provides a means of impersonating other users. (In many OAuth systems, you don't manually specify the user – the user logs in themselves. AIRisk’s userid parameter might be used in scenarios where the user identity is known ahead of time or to streamline first-party integrations. Always follow AIRisk’s guidelines on how to obtain or use this parameter.)

  • In summary, use a generic token when your app needs to perform application-level actions or maintenance tasks that aren't tied to a single user (such as listing available users). Use a user-specific token when your app is performing actions on behalf of a specific user, such as accessing that user's data or acting in their name within the AIRisk platform.

PreviousError HandlingNextExample Usage Flow / Reasons

Last updated 2 months ago