If you have the API module enabled, you can create, edit, and deactivate API access tokens on your own in Imageshop. You can access the API management panel by following the steps below.
Note: API access is an additional module in Imageshop and carries an extra cost. If your company wishes to activate this module, please contact us at support@imageshop.no.
How to find the API panel:
- Go to the administration panel at admin5.imageshop.no. Alternatively, if you are already logged into the standard user interface as an administrator, you will find a direct link to the administration panel on the right side of the main menu.
- Hover your mouse pointer over your username in the top right corner to open the user menu, and select «Configuration».
- Click on the «API Access» option in the menu.
In this screen, you will see a complete overview of all issued tokens and their associated access rights. From here, you can also edit, deactivate, and create new tokens.
Important! Remember to copy the token as soon as you have created it. For security reasons, it will not be possible to retrieve or view the token again after the window is closed. If you lose a token, you must deactivate the old one and create a brand new one.
It is good practice to deactivate an existing token if you create a new one to replace it. Always give your tokens meaningful names so that you can easily identify where they are being used. For example, if a token is to be used in a specific integration like WordPress, name it "WordPress". If it is used in a custom application or a tailored API integration, name it after the integration project.
To maintain a high level of security, it is recommended to rotate tokens at regular intervals, for example, by creating a new one and deactivating the old one once a year.
Always restrict the permissions of a token as much as possible to increase security. Only grant access to the interfaces that are strictly necessary, and disable the upload functionality for the token if the integration does not require uploading files.
A permanent token should never be exposed on the client side of an application, such as in visible JavaScript or HTML code. In cases where API calls must be performed from the client side, a temporary token should be fetched securely via the server first using the «GetTemporaryToken» method. This temporary token can then be used for further calls from the client side. Ideally, neither temporary nor private tokens should be used on the client side at all.
If you still need to use a token directly on a website, this token must have very limited access rights. In such cases, it is strongly recommended to disable uploading and to create a separate, specific public interface that the token can access. The images in this interface must be treated as completely public. Since the token is exposed on the client side, anyone with technical insight can capture it and use the API to, for example, download the images or perform other available operations.
To completely delete a token from the system, you must first change its status to inactive. Once the token is deactivated, the delete option will become available.