Fliplet.App.Tokens
Fliplet.App.Tokens
Read the list of API tokens an app has issued to external services and backend integrations. Each token represents a non-human “app user” account with scoped access (viewer role, by default) that lets a trusted backend system, webhook, or third-party integration authenticate against the Fliplet API on behalf of the app.
This package is a thin client over the v1/apps/{appId}/tokens REST endpoint and exposes a single global, Fliplet.App.Tokens. Use it when an app or admin screen needs to display, audit, or correlate the tokens that have been provisioned for backend integrations.
Note: Creating and deleting tokens is performed in Fliplet Studio (App Settings → Security → API tokens) or directly via the REST API. The client library is intentionally read-only.
Install
Add the fliplet-tokens dependency to your screen or app resources. The package depends on fliplet-core and registers itself under Fliplet.App.Tokens.
Fliplet.App.Tokens.get()
(Returns Promise<Array>)
Fetch the list of tokens issued for an app. Wraps GET v1/apps/{appId}/tokens and resolves with the appTokens array from the response body.
Usage
const tokens = await Fliplet.App.Tokens.get();
// tokens is an array of objects:
// [
// {
// id: 12345,
// firstName: 'Zapier integration', // the token's display name
// lastName: null,
// email: '[email protected]',
// auth_token: 'eyJhbGciOi...', // the bearer token value
// type: 'appToken'
// },
// ...
// ]
- options (Object, optional) Configuration for the request.
- appId (Number) The app id to read tokens for. Defaults to
Fliplet.Env.get('appId'). ThrowsError: appId is requiredwhen neither is set. - query (Object) Query string parameters forwarded to the REST endpoint. The endpoint accepts:
- type (String) Filter by token type. Defaults to
appToken. PassintegrationTokento read integration-only tokens. - order (String) Field to order results by. Defaults to
firstName. - direction (String)
ASCorDESC. Defaults toASC.
- type (String) Filter by token type. Defaults to
- appId (Number) The app id to read tokens for. Defaults to
Examples
Read all tokens for the current app
const tokens = await Fliplet.App.Tokens.get();
tokens.forEach((token) => {
console.log(token.firstName, token.id);
});
Read tokens for a specific app
const tokens = await Fliplet.App.Tokens.get({ appId: 1234 });
Filter to integration tokens, newest first
const tokens = await Fliplet.App.Tokens.get({
query: {
type: 'integrationToken',
order: 'id',
direction: 'DESC'
}
});
Response shape
Each item in the resolved array is an “app user” record representing a token:
| Field | Type | Description |
|---|---|---|
id |
Number | Internal user id of the token holder. Use this id when calling the delete REST endpoint. |
firstName |
String | The token’s display name as set when it was created. |
lastName |
String | null | Always null for tokens. |
email |
String | Synthetic email of the form token-{appId}-{slug}-{n}@fliplet.com, generated by the API when the token is created. |
auth_token |
String | The bearer token value. Send it as Auth-token: <value> (or Authorization: Bearer <value>) when calling Fliplet APIs. |
type |
String | appToken (default) or integrationToken. |
Token types
appToken— General-purpose API token scoped to the app. Granted theviewerapp role.integrationToken— Token reserved for first-class integrations (e.g. Zapier, webhook receivers, server-to-server jobs). Subject to theappSecurity.tokenManagementplan feature; creation and deletion fail with a billing error if the organisation’s plan does not include it.
Using a token to call the Fliplet API
Once you have an auth_token, a backend service can call any Fliplet API endpoint that the app role permits by sending the token as a header. Tokens carry the viewer app role, so they can read app data sources, app submissions, and similar read-scoped resources.
// From a backend (Node, Python, curl, etc.) — never expose tokens in the browser.
fetch('https://api.fliplet.com/v1/data-sources/1234/data', {
headers: {
'Auth-token': process.env.FLIPLET_APP_TOKEN
}
}).then((r) => r.json());
curl https://api.fliplet.com/v1/apps/$APP_ID/tokens \
-H "Auth-token: $FLIPLET_APP_TOKEN"
Access and security
- Authentication required. The underlying
v1/apps/{appId}/tokensendpoint requires an authenticated request — typically a Studio user session or a token that already has access to the app. CallingFliplet.App.Tokens.get()from a public, unauthenticated screen will fail. - Rate limited. The endpoint is brute-force rate-limited under the
appTokensrate-limit bucket. Avoid polling it from end-user screens. - Treat
auth_tokenas a secret. The value functions as a long-lived password for the app. Surface it only in trusted admin contexts (e.g. a Studio settings screen visible to logged-in admins) and never log, embed, or persist it in client storage that other users can read. - Token creation and deletion are not exposed in this client library. Use Fliplet Studio or
POST/DELETE v1/apps/{appId}/tokensdirectly. Both write endpoints additionally enforce theappSecurity.tokenManagementplan feature when working withintegrationTokenrecords.