Skip to main content

Manage login tokens

Goal

To create and manage login tokens in the Propeller backoffice, enabling secure one-time or reusable authentication for users without passwords. Login tokens are commonly used for OCI (Open Catalog Interface) integrations and user impersonation scenarios.

Understanding Login Tokens

Login tokens are secure authentication mechanisms that allow users to access the system without entering passwords. They are particularly useful for:

Key Use Cases

  • OCI Integrations: Automatically authenticate users when redirecting from external procurement systems
  • User Impersonation: Allow administrators to access the system as specific users for support purposes
  • Passwordless Login: Provide secure access links via email for users who prefer not to manage passwords
  • Temporary Access: Grant time-limited access to external partners or consultants

Token Types

  • One-time use: Token expires after first successful login
  • Reusable: Token can be used multiple times until expiration date
  • Anonymous user: Special token type for users without specific contact or customer records

Step 1: Navigate to Login Tokens

  1. From the backoffice menu, select Users and then Login Tokens.
  2. The login tokens list displays:
    • Name (associated contact or customer)
    • Type (Contact/Customer)
    • Expires At
    • Last Accessed At
    • Successful Attempts
    • Failed Attempts
    • One Time Use status
    • Extra information

Step 2: Create a New Login Token

  1. Click the New Login Token button in the top right corner.
  2. The New Login Token popup window will appear.

Step 3: Configure Token Details

Complete the following fields in the popup:

Select Contact or Customer

  • Search field: Start typing to search for a contact or customer
    • Type the person's name or email
    • Select from the dropdown results
    • Choose "Anonymous user" for tokens not tied to specific users

Token Settings

  • Expires at: Set the expiration date and time

    • Click the calendar icon to select date
    • Token becomes invalid after this date
    • Consider security requirements when setting expiration

  • Extra: Add any additional information

    • Used for tracking purposes or integration metadata
    • Examples: "OCI integration", "Support ticket #123"

  • One time use: Toggle this option on/off

    • When enabled: Token expires after first successful login
    • When disabled: Token can be used multiple times until expiration date
    • Recommended for security-sensitive scenarios

Step 4: Save and Retrieve Token

  1. Click Save to create the login token.
  2. The system generates a unique token ID.
  3. After creation, you'll see a success message: "Login token was successfully created"
  4. The new token appears in the list with all configured details.

Using Login Tokens

Token URL Format

The generated token can be used to create a login URL:

https://[your-domain]/login?token=[TOKEN_ID]

Integration Examples

  • OCI Integration: Include the token in return URLs from external systems
  • Email Links: Send secure login links to users
  • API Access: Use tokens for programmatic authentication

Managing Existing Tokens

View Token Details

Click on any token in the list to view:

  • Current usage statistics
  • Associated user information
  • Expiration status
  • Access history

Monitor Token Usage

Track important metrics:

  • Successful Attempts: Number of successful logins
  • Failed Attempts: Number of failed login attempts
  • Last Accessed At: Most recent usage timestamp

Security Considerations

  • Regularly review active tokens
  • Delete expired or unused tokens
  • Monitor failed login attempts for security issues
  • Use one-time tokens for sensitive operations

Best Practices

  • Expiration Strategy: Set appropriate expiration dates based on use case

    • OCI tokens: 30-90 days
    • Support tokens: 1-24 hours
    • Partner access: Based on contract duration

  • Token Naming: Use the Extra field to document token purpose

  • Regular Audits: Periodically review and clean up unused tokens

  • Security First: Default to one-time use for maximum security

  • Access Monitoring: Track failed attempts to identify potential security issues

  • Documentation: Keep records of why tokens were created and for whom

Common Scenarios

OCI Integration Setup

  1. Create a reusable token for the OCI user
  2. Set expiration to match contract period
  3. Add "OCI - [Vendor Name]" in Extra field
  4. Configure external system with token URL

Support Impersonation

  1. Create one-time use token for specific customer
  2. Set short expiration (1-2 hours)
  3. Add support ticket reference in Extra field
  4. Use token to access customer's view

Passwordless Access

  1. Create token for user upon request
  2. Set appropriate expiration based on security policy
  3. Send token URL via secure email
  4. Monitor usage and regenerate as needed

Important Notes

  • Tokens are unique identifiers that grant full user access
  • Treat token URLs as sensitive information equivalent to passwords
  • Deleted tokens cannot be recovered
  • Failed login attempts may indicate compromised tokens
  • One-time tokens provide the highest security level
  • Always use HTTPS when transmitting token URLs