Skip to main content

Remarks

The previous sections introduced you to the authentication flow of ​OpenTicket. Some details of this flow will change in the future, which is something you can keep in mind when implementing it. Furthermore, you should also be aware of the limitations of the generated tokens.

First and foremost, scoped are currently unused. This means that any token can be used to access any service. In the future, this will most likely change as scopes enable a more nuanced approach to access ​OpenTicket resources. When scopes are introduced, already issued tokens are likely to remain valid.

Secondly, tokens themselves have some limitations. The total number of tokens per user, per client is limited. When this limit has been reached, the least recently used token is invalidated. Furthermore, an issued token has to be issued for at least one company. This also means that a user that has lost access to all companies is not able to issue any requests. Besides that, as of right now, it is impossible to request a (short-lived) token to test applications without having to fully implement an OAuth flow. This feature is being developed and will be deployed.

Lastly, to reiterate, secrets must be kept private. Consequently, pure Javascript implementations that do not rely on a server implementation are therefore not possible! Similarly, tokens are personal and must also be kept private. Sharing of tokens is not allowed, and leaked tokens will be invalidated!