Tokens in LogScale

LogScale supports a variety of different tokens that are used to provide API access to the different components of the system. Tokens use a randomly generated sequence of characters that identify the authority of a system or service to use a particular aspect of the LogScale instance.

Performing different actions, particularly through the API, is controlled through the API token and it is a combination of the type of API token, and the individual permissions granted to it, that allow or restict access. For example, to performaning Organization level administration and Organization API token must be used. Having a Ingest Token or Repository API token does not grant privileges to manage the organization. Conversely, data cannot be read or accessed using an Organization API token, as these are only for managing your LogScale installation.

Below is a list of them, with descriptions of each:

  • Ingest Tokens

    Ingest tokens are long-living token strings that you can use to set up your ingestion pipeline in Falcon LogScale Collector or other log shippers. Ingest tokens are used to identify the repository, parser and authority to send data for ingestion into LogScale. They do not allow access to the API or to query data stored in repositories.

    For more information, see Ingest Tokens.

  • Personal API Tokens

    Used to access the APIs within LogScale, Personal API tokens inherit the permissions of their user.

  • System API tokens

    System API tokens grant cluster administration permissions and the most dangerous actions, for example changing feature flags or changing usernames. They do not provide access to an organization or to the data stored in any repository.

  • Organization API tokens

    Organization level tokens allow management and configuration to systms within within an organization, including creating users and repositories, but do not allow access to data.

  • Repository and view API tokens

    API tokens at the repository and view level enable API-level access for reading data, managing the repository, packages, triggers and integrations. A Repository and view API token is strictly limited to accessing or managing only the Repository or View that the token was created for. You cannot use the same Repository and view API token to access the data from multiple repositories. API tokens are limited to a single view within the UI but can be created through the GraphQL API to cover multiple views and repositories.

Table: Token Comparison

Use Case Ingest Tokens Personal API Token System API Token Organization API Token Repository Token
Allow Ingesting Data Yes Yes Yes Yes No
Ingest Target Specific Repository Any repository the user has permissions to access Any Any N/A
Query/Read Data No Yes, for any repository the user has access to No No Yes, each token is specific to a single repository or view
Create API Tokens No No Yes Yes No

Each API token, with the exception of Ingest and Personal API tokens, has the following parameters:

  • API Token name

    The name of the token used to identify the token.

  • API Token domain

    There are specific API tokens for different areas of LogScale functionality, including system-level administration, organization level administration, views and repositories.

  • Permissions

    Depending on the domain, API tokens will have one or more permissions which can be explicitly granted. These only apply to the generated API token, and limit the ability of the token to that functionality. For more information on permissions, see Repository & View Permissions.

  • IP Filter

    An IP filter can be applied to limit incoming connections to specific IP addresses or networks. For more information, see IP Filters.

  • Expiry

    A token can be configured to automatically expire on a set time and date.

API tokens are governed by Security Policies.