How to Set Up API OAuth Token

In this article, you will learn how to set up API OAuth Token with NinjaOne, including efficient tactics and strategies to simplify the integration process for both the developers and users.

What is Oauth Token API?

OAuth2 is a security measure used by NinjaOne to control API access. Applications must obtain an authorization code to interact with NinjaOne’s resources. This protects user data and ensures only trusted applications can access sensitive information. OAuth2 offers a more secure and user-friendly login experience compared to traditional methods. It allows users to grant specific permissions to applications, reducing the risk of unauthorized access. Additionally, OAuth2 simplifies the integration process for developers and enhances the overall user experience.

How to Enable Oauth Token API

Configuration of OAuth

Start using the OAuth protocol for your app’s authentication with NinjaRMM, you must first have an OAuth app credential from the NinjaRMM system. The OAuth app will have an authorization grant set up for you. OAuth 2.0 supports various grant types. However, NinjaRMM Public API supports authorization code and implicit grant types.

API settings can be found under Administration > Apps > API.

API settings can be found under Administration > Apps > API.

Documentation on API versions and how they work can be found under Legacy API Keys.

Documentation on API versions and how they work can be found under Legacy API Keys.

Generate an OAuth Client Application:

  1. Click Client App IDs.

Click Client App IDs.

2. To open the Application Configuration, click Add.

To open the Application Configuration, click Add.

3. The Application Platform drop-down list has three options for OAuth Application creation.

The Application Platform drop-down list has three options for OAuth Application creation.

4. The Application Configuration options are the same across all three options:

The Application Configuration options are the same across all three options.

Name: This will be displayed as the client application name on the consent screen. This name will show up under the Administration > Apps > API > OAuth Tokens.

Name: This will be displayed as the client application name on the consent screen. This name will show up under the Administration > Apps > API > OAuth Tokens.

Redirect URIs: URI(s) where Ninja will send OAuth responses.

  • This is not configurable when using the Native Application Platform:
  • This will use a local host.

Redirect URIs: URI(s) where Ninja will send OAuth responses.

Scopes: Scopes all access to all Public API Resources of a certain type: Monitoring, Management, Control. Check the checkbox next to the type to allow that type.

  • Monitoring: Grants read-only access to monitoring data and organization structure.
  • Management: Allows modification of device and organization information; including creating new organizations, adding new devices, running scripts, etc.
  • Control: Enables remote access via API.

Scopes: Scopes all access to all Public API Resources of a certain type: Monitoring, Management, Control. Check the checkbox next to the type to allow that type.

Allowed Grant Types: OAuth 2.0 grant types used for the client application acting on behalf of a user. Limit the allowed grant types to minimize security risks these types are explained below:

  • Authorization Code: The Authorization Code is a temporary code that the client will exchange for an access token. The code itself is obtained for the authorization server where the users get a chance to see what information the client is requesting and approve or deny the request.
  • Refresh Token: The presence of the Refresh Token means that when the access token expires, you’ll be able to get a new one without the user’s interaction.
  • Implicit: An alternative to Authorization Code, Implicit Flow bypasses the code exchange step, and instead the access token is returned in the query string fragment to the client immediately.

Per Application Platform, some grant types may not be accessible.

  • Native: Authorization Code, Refresh Token, Implicit
  • Single Page: Authorization Code, Implicit
  • Web: Authorization Code, Refresh Token, Implicit

Allowed Grant Types: OAuth 2.0 grant types used for the client application acting on behalf of a user.

5. After configuration is complete, click Save.

After configuration is complete, click Save.

6. After Saving the Application, you will be given a Client ID that can be copied and used when the app interacts with NinjaOne.

After Saving the Application, you will be given a Client ID that can be copied and used when the app interacts with NinjaOne.

Important Note: Any questions about API configuration, documentation, or OAuth Tokens can be addressed by reaching out to our API Team at [email protected]

The Benefits of Using NinjaOne with an API OAuth Token

Enhanced Security: OAuth2 protects user credentials by avoiding direct sharing of sensitive information.

Granular Permission Control: Allows users to grant specific permissions to applications, limiting data access.

Simplified Integration: Provides a standardized way for developers to integrate with NinjaOne’s API.

Improved User Experience: Offers a more secure and convenient authentication process for users.

Strategies for using API OAuth Token with NinjaOne

Management: Carefully define the permissions your application needs. Avoid asking for unnecessary permissions to reduce security risks. Use refresh tokens to maintain access without requiring users to log in again.

Error Handling: Implement error handling mechanisms to gracefully deal with authentication failures. Tracking API usage and identifying potential issues.

Security: Ensuring API security, store client secrets carefully and limit request rates. Monitoring API usage, you can identify and prevent potential abuse.

FAQ

OAuth 2.0 is an authorization framework that allows applications to access data from other services on behalf of users without requiring them to share their credentials directly.

An OAuth 2.0 token is a unique identifier that grants an application permission to access specific resources or data within a service. It acts as a temporary credential that allows the application to interact with the service on the user’s behalf.

1. Obtain an OAuth access token:

  • Register your application with NinjaOne to get a client ID and client secret.
  • Redirect the user to NinjaOne’s authorization endpoint with the necessary parameters (client ID, redirect URI, scope).
  • The user will be prompted to log in and authorize your application.
  • Once authorized, NinjaOne will redirect the user back to your application with an authorization code.
  • Exchange the authorization code for an access token by making a POST request to NinjaOne’s token endpoint, providing the client ID, client secret, authorization code, and redirect URI.

 

2. Make API requests:

  • Include the access token in the authorization header of your API requests.
  • Use the appropriate HTTP method and endpoint for the desired action (e.g., GET, POST, PUT, DELETE).
  • Refer to NinjaOne’s API documentation for specific endpoints and request formats.

Next Steps

Watch Demo×
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.