Access tokens are used to authenticate requests from DataSift customers and their end customers who use PYLON for Facebook Topic Data. This document answers common questions on how DataSift manages tokens on the PYLON platform.
Throughout the document, the term "customer" is inclusive of both DataSift customers and their end customers, as most platform behavior is the same for both with regard to tokens.
What do tokens represent?
Is a token considered secret?
Strictly speaking, it's not a secret key, but a token should not be shared with anyone who doesn't need it to work with PYLON. The string used by Facebook to authenticate a topic data request consists of two parts: a Facebook app id, and the app's client token. Client tokens are designed to be embedded in client-side applications integrated with Facebook, and thus are not considered a secret key.
Anyone who has both a DataSift API key for a PYLON-enabled account and the app ID/client token combination (henceforth referred to simply as "the token") for an approved customer will be able to make requests to all endpoints. These two pieces of authentication identify the customer to DataSift (API key) and Facebook (token) separately.
In order to validate, compile or swap a filter; start or stop a recording; get usage metadata; analyze Topic Data; or retrieve analyze-able tag trees or Super Public data, both credentials must authenticate successfully.
How do customers manage tokens within PYLON?
DataSift offers an Account API for the management of PYLON identities, tokens and limits. Through this API, customers can add, remove or change the token on any PYLON identity.
Is it OK to apply the same token to multiple PYLON identities?
Yes. It can be useful to create multiple identities for one end customer.
For example, you may want to run two recordings for an end customer, splitting your recording capacity for the end customer between the two recordings. You could create two identities for the customer, assigning the same token to each, then setting a recording limit for each identity as you require. If one of the recordings sees a sharp increase in volume this ensures there is recording capacity for the other recording.
How are the tokens of DataSift customers distinguished from those of child customers?
Each PYLON identity carries a true/false value in the Master field. One identity in each DataSift account can be designated as the master identity. Activity in this identity is considered to be performed on behalf of the DataSift customer and not any end customer. It is valid for DataSift customers to record and analyze data for testing and demo purposes using the master identity.
DataSift chains together the master token and child token when the request is made from a child identity; when the request is made from the master identity, only the master token is sent. This gives Facebook visibility of which vendors are performing actions on behalf of themselves and for which child customers.