This command retrieves a token from an ExtraView instance, in order that the token may be used in subsequent API calls without the need for these subsequent API calls to send the password in clear text.  The protocol used to generate the token and to apply this is termed OAuth2.  When a valid token is generated, it has an expiry date and time, based upon the value in the behavior setting named OAUTH2_TOKEN_LIFETIME_SECONDS.  After the token expires, a new token must be requested, again using the get_token command.  If an API request is made using an expired token, the server treats the call as an invalid sign on and access is refused.

SYNTAX

https://www.myserver.com/evj/ExtraView/ev_api.action? 
user_id=username 
&password=password 
&statevar=get_token 
[&ev_send_xml=false | true]

NOTES

The token is returned as plain text, unless the parameter ev_send_xml is set to true, in which case the token is returned within an XML format.

If two factor authentication is turned on for the site, this will cause a problem when a user attempts to use token-based access.  To avoid this issue, a security permission key named USER.EXCLUDE_2FA must be turned on for the user role.  Following that, a new prompt on the user’s personal options screen will allow for the user to bypass the 2FA and directly access the API.

EXAMPLES

Example 1: Send the URL:

https://www.myserver.com/evj/ExtraView/ev_api.action?user_id=my_user_id&password=my_password&statevar=get_token

This returns:

Token:x3o4xNX8xYm4gRE5YrtLPq3Bybtav9Xao8VBI1oPtz8
Type:Bearer
Lifetime:3600
Expiration Date:2020-07-02 18:39:48.818 -0700
Scope:read write

Example 2: Send the URL:

https://www.myserver.com/evj/ExtraView/ev_api.action?user_id=bsmith&password=bill&statevar=get_token&ev_send_xml=true

This returns:

<?xml version="1.0" encoding="UTF-8"?>
<access_token>
<value> ayBNRrDElFvyv7yrTlT2rAiOkCtth1Ez9M7cQyh1hHc </value>
<type> Bearer </type>
<lifetime> 3600 </lifetime>
<Expiration Date> 2020-07-02 18:39:48.818 -0700 </lifetime>
<scope> read write </scope>
</access_token>

At this point in time, the type and scope within the returned data have no meaning.

Once a valid token is returned, you may use this in subsequent API calls, with the following being an example – note there is no User ID or Password parameters:

https://www.myserver.com/evj/ExtraView/ev_api.action? access_token=ayBNRrDElFvyv7yrTlT2rAiOkCtth1Ez9M7cQyh1hHc&statevar=fields&include_fields=y