Skip to main content

Anonymous Authorization (anonauth) Endpoint

Anonymous logins enable access to the tenant without a defined role, thus requiring no authentication. This feature is accessed at the /anonauth server endpoint. The primary use case is for self-registration of new users for a tenant's apps, and thus creation of new roles. Access to public data is another use case.

Enable anonauth logins

Tenant root roles only: set or get the status of anonymous logins on the tenant and the anonymous_logins with this utility function in the roles_pbac endpoint. anonymous logins documentation.

Show Example Query
{
Utility {
anonymous_logins(enable: true)
}
}

Output

{
"data": {
"Utility": {
"anonymous_logins": 1111
}
}
}

Anonymous logins are supported by means of a 'Nobody' role, which is created for the tenant the first time they are enabled. This Nobody role will have normal capabilities, as well as the ability to create new roles. Policy will be added to enable the Nobody role to view all normal roles in the tenant, but the tenant root role will need to add policy to give it access to tables in the tenant schema, other than those with global access. Be cautious with this: tables with anonymous access enabled means anyone could query or mutate them as permitted!

info

The Nobody role will not have the ability to log in except via the /anonauth endpoint, but will have these capabilities: select, insert, update, delete, upload, download, create_role, view_role.

If a tenant has anonymous logins enabled, and they are then disabled, the Nobody role will be flagged as deleted, thus blocking use of /anonauth for the tenant. If later re-enabled, the existing Nobody role's deleted flag will be cleared.

With "enable" set to True, enables anonymous logins; set to False, disables them. Returns the roleid of the configured Nobody role if enabled, False otherwise.

Connect to endpoint

Send a POST request to the endpoint https://api.devii.io/anonauth, either as form data or as application/json, with the following fields: tenantid. The tenantid will be the ID you got from the Database card.

const AUTH_URL = "https://api.devii.io/anonauth";
Show Code
const AUTH_URL = "https://api.devii.io/anonauth";

var formdata = new FormData();
formdata.append("tenantid", "1111");

var requestOptions = {
method: "POST",
body: formdata,
redirect: "follow",
};

fetch(AUTH_URL, requestOptions)
.then((response) => response.text())
.then((result) => console.log(result))
.catch((error) => console.log("error", error));
Successful Response
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiJ9...",
"message": "Logged in as nobody1111.",
"refresh_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiJ9...",
"roleid": 1111,
"routes": {
"base": "https://api.devii.io/",
"query": "https://api.devii.io/query",
"roles_pbac": "https://api.devii.io/roles_pbac"
},
{Truncated Schema...}
}

The response will contain a JSON object with a lot of data. The token needed to connect to the API endpoints is under the field "access_token". It's a JSON Web Token, cryptographically signed by the Devii server, which indicates your role (user) and tenant IDs.

There is also a JWT in the field "refresh_token", which can be used to request a new access token from the /auth endpoint (more on that later); a "routes" field which gives the URL routes to your tenant's endpoints; "roleid" which gives your currently logged in role ID; and two fields called "schema" and "rpb_schema", which give full JSON GraphQL schema data for the query and roles_pbac (control) schemas of your tenant, respectively. To gain access now, what you'll need is the "access_token" and the "routes" fields.

Troubleshooting

Sending POST to the endpoint without a tenantid will not work.

Send POST to the endpoint with a tenantid that doesn't have anonymous enabled will not work.

{
"error": "Tenant 1111 does not allow anonymous access.",
"status": 403
}

GET requests will not work.

{
"message": "Use /auth for refresh tokens.",
"status": 405
}