Authenticating API Requests
Here, you will learn how to authenticate your requests to access resources available on Dronetag accounts.
We offer two authentication methods: Personal Access Tokens (PATs) and OpenID Connect. Each method serves different use cases, so please read on to determine which is best suited for your project.
Using Personal Access Tokens (PATs)
If you plan to work with personal data from your own Dronetag account, such as post-processing data, creating a personal command-line interface (CLI) tool, or integrating data into other software, Personal Access Tokens (PATs) are available for easy and straightforward access to the API.
These tokens provide a simple to use, although less secure, method for accessing your resources via our API services. For more robust integrations intended for public access, we recommend considering the OpenID Connect method instead.
Personal Access Tokens provide full access to your account's resources. Please ensure you store these tokens securely and avoid sharing them inadvertently (e.g., by posting them online).
For enhanced security, PATs have a maximum validity of 60 days.
Personal Access Tokens are still in experimental phase, please let us know if you encounter any issues while using them.
Creating a new token
- Create via UI in our app
- Create via API
- Log in to your Dronetag account in the Dronetag app.
- Navigate to the Profile screen.
- Navigate to the Account screen to view your account detail.
- Open the Personal Access Tokens screen.
Here you can create a new token by clicking the Create token button.
If you need to create a Personal Access Token programmatically, you can do so by sending a POST request to the /v2/pats/tokens endpoint. However you must first further authenticate your request using an access token obtained from the OpenID Connect flow.
Send a POST request with your account password is required to make this request — this password it not stored, it's only used for authorizing the token issue process.
{
"password": "hunter2",
"expires_at": "2025-09-09"
}
After you issue a new Personal Access Token, be sure to store this token securely. You won't be able to retrieve this token again.
Using tokens to authorize requests
You can now use the token in X-Personal-Access HTTP header when making requests.
You can use Personal Access Tokens only for HTTP requests. Authenticating Websockets are not possible with PATs.
Example request with PAT
POST /v2/airspace/telemetry/ua HTTP/1.1
Host: api.dronetag.app
Accept: */*
X-Personal-Access-Token: 4c5250130bbce349.b0dc901facd944e999b32ebf984c5250130bbce349b0dc901facd944e999b32e
Implementing OpenID Connect
By implementing Sign in with Dronetag, you can allow users to access their data through your application. This method is more reliable and offers a standardized approach to authentication.
Understanding OpenID Connect (OIDC)
Our implementation is based on OpenID Connect (which should not be confused with OpenID). OIDC allows you to leverage existing libraries and may already be supported by your application. Learn more on the OpenID Foundation website.
To utilize OIDC in your application, you will need your own client ID and secret. If you have not yet received these credentials, please contact us for assistance.
Implement authentication in your application
- Use available OIDC library
- Request tokens manually
We recommend exploring the certified OpenID Connect implementations to choose the best library for your project.
If your OIDC client supports it, you can utilize the OpenID configuration JSON available at:
https://auth.dronetag.app/realms/dcp/.well-known/openid-configuration
Alternatively, you can manually configure your OIDC client using the following endpoints:
| Item | URL |
|---|---|
| Authorization Endpoint | https://auth.dronetag.app/realms/dcp/protocol/openid-connect/auth |
| Token Endpoint | https://auth.dronetag.app/realms/dcp/protocol/openid-connect/token |
| User Info Endpoint | https://auth.dronetag.app/realms/dcp/protocol/openid-connect/userinfo |
| Client ID | Provided to your application |
| Client Secret | Provided to your application |
If you do not wish to use an OIDC library, you can manually request tokens using a HTTP request.
https://auth.dronetag.app/realms/dcp/protocol/openid-connect/token
Send the following parameters in the request body:
grant_type:passwordclient_id: Your client IDclient_secret: Your client secretusername: Dronetag user account e-mailpassword: Dronetag user account password
Example cURL for obtaining an access token
curl -X POST "https://auth.dronetag.app/realms/dcp/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password" \
-d "client_id=<your-client-id>" \
-d "client_secret=<your-client-secret>" \
-d "username=<your-username>" \
-d "password=<your-password>"
Response
If successful, you will receive a JSON response containing the following:
{
"access_token": "eyJhbGc...",
"expires_in": 1200,
"refresh_expires_in": 604800,
"refresh_token": "eyJhbGc...",
"token_type": "Bearer",
"not-before-policy": 0,
"session_state": "35d764ee-c27c-4763-bc05-5ffa2e2b822e",
"scope": "email"
}
Using Access Tokens
Both Personal Access Tokens and access tokens retrieved using OIDC can be added as a Bearer token in the Authorization header to authenticate your API requests.
Example Request
POST /v2/airspace/telemetry/ua HTTP/1.1
Host: api.dronetag.app
Accept: */*
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItQllNT2...
Refreshing Tokens
Access tokens issued as JWTs are short-lived and require refreshing upon expiration. We recommend reviewing the following resources for more information on refresh tokens and their secure usage: