Auth token terminology

[schickling]

There are several types of authentication tokens used in the context of Graphcool. Here is a naming proposal:

System Token

A token being used to authenticate a developer against the System API (for deployments etc) either from the Console or CLI. This token is not meant to be used manually be a developer. For convenience reasons the system token also has the capabilities of a root token.

Root Token

Created statically via the graphcool.yml file when deployed and can be retrieved by running gc get-root-token my-token-key. This gives full read and write access to all client APIs.

Temporary Root Token

A temporary root token is instantiated before a function is called and automatically injected. A temporary root token is a root token that cannot be referenced outside this scope of the invoked function (e.g. via gc get-root-token) and expires after 5min (configurable via server.yml).

Node Token

A node token is for client-side authentication/authorization purposes (e.g. sign in with Facebook) and authenticates a specific data node of a certain type (for example a User node). A node token can be issued via the generateNodeToken(nodeId: string, typeName: string, payload?: ScalarObject) function in the graphcool-lib library.

[nikolasburk]

I'm not about temporary root tokens, because that could be misunderstood in the way that they're similar (in terms of how you can acquire and manage them) to permanent root tokens, which is not the case. The only similarity between them is that they grant access to all API operations, other than that they're very different in the way developers will be working with them. Maybe we could call temporary root tokens Function tokens instead?! If we stick to the root token terminology, I'd also rather make a clear distinction between tmp and permanent and actually call them permanent root tokens instead of only root tokens.

[nikolasburk]

I think I'd also prefer user token over node token, just because it's a bit more clear. I understand your reasoning that you can authenticate any type with such a token but these will in 99% of cases be some type of users. It should be clear however that the name user token is not actually derived from a type that's called User.

[marktani]

It's graphcool root-tokens instead of graphcool get-root-tokens: #634.

[kbrandwijk]

Please include this naming strategy in graphcool-lib as well. It uses the terminology 'token' and 'pat' at the moment. Better yet, just make one parameter, because there's really no distinction, they both end up in the Authorization header of the GraphQLClient.

[marktani]

The proposal as in the OP is accepted.