API Tokens not required to use API

Why Am I able to connect and retrieve data from DB with postman without specifying the API Token? I checked the “This app exposes a Workflow API” and “This app exposes a Data API” to suit my needs, and generated a token.

But then, using Postman, I successfully retrieved data without even entering the token. Why is that?


1 Like

On the data API side (the “GET” side) of your app’s API, access to individual Things you expose in the API is controlled by privacy rules. If anyone can view an exposed thing, then any get data API call for that thing will not require authentication.

On the workflow API side (the “POST” side) of your app’s API, access to endpoints is controlled by the endpoint’s settings, e.g.:

If “This endpoint can be run without authentication”, no authentication will be necessary. If it is not checked, unauthenticated requests will return an “unauthorized” error.


Thanks a lot @keith. I hadn’t set privacy rules yet for my app and didn’t know they also applied for API requests.

Yeah, an unauthenticated API GET request is the equivalent of “everybody else” in the privacy rules settings.

(So, you might have a complex Thing with many fields on it, some of which are visible only to the Thing’s creator. However, some of the fields are entirely public and there may be no restriction on some random person being able to view those fields on that particular Thing. An unauthenticated GET request for that Thing will return any Things matching the request, but will include only the fields that are visible to “everyone else” – like a sanitized version of the Things, if you will.)

1 Like