This is the documentation for SuperSTAR 9.8

SuperSTAR 9.9 is now available.
View this page in the SuperSTAR 9.9 documentation or visit the SuperSTAR 9.9 documentation home.

Skip to end of metadata
Go to start of metadata

Any user who wants to access the API must have an API key (which is obtained by logging into SuperWEB2 and viewing the Preferences page).

By default, all users will be able to obtain an API key from SuperWEB2, but if you do not want all your users to have access to the API you can restrict it so that keys are only available to users who belong to specific SuperADMIN groups.

Restrict Access to API Keys

To restrict API key access, make sure your users are organised into groups, then run the following command in SuperADMIN:

cfg global superadmin.apiToken.groups set <list_of_group_ids>

Replace <list_of_group_ids> with a comma separated list of groups that should have access to keys. Users will only be able to obtain an API key if they belong to one of the specified groups.

For example, the following command ensures that keys are only available to users who belong to the administrators or powerusers groups:

cfg global superadmin.apiToken.groups set [ "administrators", "powerusers" ]

Prevent Any Users from Accessing API Keys

If you do not want any users to be able to access API keys through SuperWEB2, then simply set the superadmin.apiToken.groups key to any empty array:

cfg global superadmin.apiToken.groups set []

Allow All Users to Access API Keys

If you want to allow all users to access API keys, run the following command:

cfg global superadmin.apiToken.groups remove

Revoke an API Access Key

The above commands can be used to prevent users from obtaining API keys for their accounts. However, any user who has already obtained an API key will still be able to use that key.

You can invalidate a user's existing key by running the following command in SuperADMIN:

account <user_id> invalidate token

For example, to invalidate the API key currently assigned to the user jsmith, run the following command:

account jsmith invalidate token

This command invalidates the user's current key, but it does not prevent the user from obtaining a new key in SuperWEB2.

If you want to turn off a user's API access you should use this in conjunction with the command above that restricts which groups can obtain keys in SuperWEB2.


  • No labels