ODK Central - REST Authentication with Bearer


Using Insomnia retrieving all submissions is not an issue.
In VBA however, I get this error: "... does not have rights..." (see below)
The user has the administrator-role.

Now I take it it would be better to use a Bearer-Token. But cannot seem to figure out how to.

Would you be able to provide an example on how to retrieve a token in GET or in POST format?

Thank you indeed

GET https://my.host.com/v1/projects/2/forms/build_Auftrag-Zeiterfassung_1581536688.svc/Submissions/
Autorization: Basic email:passw
User-Agent: VBA-Web v4.1.3 (https://github.com/VBA-tools/VBA-Web)
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: application/json
Content-Length: 0

<-- Response - 17:09:09
403 Forbidden
Connection: keep-alive
Date: Thu, 13 Feb 2020 16:09:00 GMT
Content-Length: 95
Content-Type: application/json; charset=utf-8
ETag: W/"5f-Ek3O44/1d0d5pvuF9D634f2LGLc"
Server: nginx
X-Powered-By: Express
OData-Version: 4.0

{"message":"The authenticated actor does not have rights to perform that action.","code":403.1}

You can read more about Central's authentication scheme at https://odkcentral.docs.apiary.io/#reference/authentication (linked to from the main documentation page). In particular, see the examples for logging in.

Hopefully this will give you the information you need but let us know if you still have questions!

Hi Hélène
Thank you for swift answering.
I did read that doc, of course. However, I still cannot figure out how to obtain a Session-Bearer-Token. I'm lost.

In a Nutshell: I need an action (POST or GET) which returns the token, which I then can use in the next call's header as described:

"supply it in a request header Authorization with a value of Bearer {token}"

I get as far as this:
GET : https://myCentral.Server.ch/v1/users/Authenticate
(What do you mean by 'Authenticate to be (integer)'?)

"message": "Invalid input data type: expected 'Authenticate' to be (integer)",
"code": 400.11,
"details": {
"value": "Authenticate",
"expected": "integer"

I tried POST as well, having
{"email":"me@mail.ch","password":"aSecret"} in the body.

The important part is missing in the document you mentioned.

supply it in a request header Authorization with a value of Bearer {token}, as seen here.
(There is not really anything at /v1/example.....

Again, I can retrieve all data (submissions) using INSOMNIA with GET and BasicAuth. But out of my VBA-code it does not work. And apart from that, BasicAuth was said to be a bad choice.

Thank you for elaboration

Hi @ufotech!

The endpoint …/v1/users/[integer id] can be used to get information about the individual user with the specified id. (There is no …/v1/users/Authenticate endpoint.) Instead, you need to create a session. It is the session object that contains the token. The documentation for "Logging in" shows the endpoint that you can use for this, which is …/v1/sessions. If you POST to this endpoint with your credentials (as JSON), a session object should be returned with a token. (See the documentation for details on how to formulate this request.)

Hope this helps!

1 Like

Hi Matthew

Perfect! Exactly the information I was missing.
Works perfectly.

Thanks a lot

BTW I take it, we cannot delete individual submissions using the API as of now, right?

Glad that helped! :slight_smile:

That's right: submission deletion is not yet implemented in the API. However, we plan to add it to the API: take a look at this topic for more about what's already been implemented in ODK Central and what's coming up.