Try ERPNext Buy Support Partners Foundation

Token Based Authentication Not working

Hi, I am trying to make use of erpnext token based authentication, but instead of generating the api key & api secret from web console. I was using the RPC api call to generate api secret.


But the issue which I am facing is that when I retrieve the api_secret using the RPC api call, that api_secret is not working and does not authenticate me. On the other hand if I get the api_secret using the web UI that is working.

I am unable to figure out what is going wrong. I am using erpnext v13.

How do you authenticate to the API when you call the generate_keys method?

I make use of the token based authorization while calling the generate_keys method. The token which I am using is the api key & api secret of the administrator.

Header which I am using for generate_keys method call using administrator keys:

Authorization: token qfb47df2cbcf1k4:ce41561b657gg38

The only thing I can think of is that you might be inadvertently using the secret as the key and the key as the secret or maybe the administrators key and the user’s secret.

The number of times I have done that kind of thing makes me hate myself and wonder if I would not be better getting a job flipping hamburgers.

I have verified it multiple times, I am using the correct api key and the corresponding api secret returned for that user.

The thing I find weird is that api secret generated from the web is working whereas the api secret returned from the api is not, for the same user. My assumption is that it is not updating the database when I make an api call, but as the tabuser table has ********** for api secret, i an unable to check. Is there any way to check that or is it saved somewhere else?

I seem to remember screwing with that many months ago, and decided it was simply defective.

Maybe you can find the Python code and stick in a few logging statements to see if the API and web calls are treated differently.

Yeah this is a good suggestion, I will try that and see if there is any difference. Thanks

hi @sanket,
How does your exploration go?

I tried the same RPC requests but always return 404 DoesNotExistError (the user not found).
Also tried the command line also the same, user not found.

I use Administrator key:secret to run the method. And also tried other user (with full permissions) key:secret. All the same 404 error.

Is there any other way to generate token for a user?

I use version 12

Is this a HTTP GET request? Try using POST request.

If your method changes the state of the database, use POST . After a successful POST request, the framework will automatically call frappe.db.commit() to commit the changes to the database.
Read more:

GET and POST are the same.
404 Not Found

What should be filled in the user_name ?
I tried email, name, fullname, username nothing succeeded.