The chat responses are generated using Generative AI technology for intuitive search and may not be entirely accurate. They are not intended as professional advice. For full details, including our use rights, privacy practices and potential export control restrictions, please refer to our Generative AI Service Terms of Use and Generative AI Service Privacy Information. As this is a test version, please let us know if something irritating comes up. Like you get recommended a chocolate fudge ice cream instead of an energy managing application. If that occurs, please use the feedback button in our contact form!
Skip to content
Insights Hub and Industrial IoT

Insights Hub drives smart manufacturing through the industrial Internet of Things. Gain actionable insights with asset and operational data and improve your processes.

Industrial IoT SDK for Python - Token Handling¶

Token Handling in Industrial IoT SDK for Python provides access token fetching using service credentials, caching them and re-fetching them on expiry. This provides an easy authorization handling mechanism for developers. Developers can configure user authorization tokens or service credentials. Service credentials can be set up programmatically or using environment variables.

Features¶

Token handling in the Industrial IoT SDK provides the following features:

  • Handling of user tokens
  • Fetching and handling of technical tokens
    • Fetching using app specific service credentials
    • Fetching using tenant specific service credentials
    • Fetching using tenant specific service credentials with subtenant impersonation
  • Token validation using issuer, issuing time, expiry time, token algorithm and token type before making API calls.
  • Reuse of technical tokens until they expire and automatic refresh when the expiry time is less than 5 minutes to reduce traffic.

Technical Token Handling Mechanisms¶

Token Fetching¶

The Industrial IoT SDK for Python uses the client ID, client secret and other configured parameters when fetching technical tokens to make Industrial IoT API calls. Refer to Environment Variables required to fetch Technical Tokens for more information on parameters to be configured.

The Industrial IoT SDK for Python uses app specific service credentials if available and otherwise looks for tenant specific service credentials.

Token Validation¶

API calls are only executed by the Industrial IoT SDK for Python if the technical token is valid. The validation uses the issuer, valid issuer, issued at, expiry, token algorithm, and token type in the check.

Token Caching and Re-Fetching¶

After fetching a valid token, the token is cached in a credentials object. Every technical token is valid for 30 minutes. A new token is automatically fetched 5 minutes before the expiry.

Required Environment Variables for Fetching Technical Tokens¶

The Industrial IoT SDK for Python only uses environment variables for fetching tokens if neither user token nor service credentials are available.

Environment Variables for App Specific Technical Tokens¶

Environment VariableDescription
MDSP_KEY_STORE_CLIENT_IDClient ID displayed as service credentials in Developer Cockpit or Operator Cockpit
MDSP_KEY_STORE_CLIENT_SECRETClient secret displayed as service credentials in Developer Cockpit or Operator Cockpit
MDSP_OS_VM_APP_NAMEThe application name as stored by the version management of the Operator Services
MDSP_OS_VM_APP_VERSIONThe application version as stored by the version management of the Operator Services
MDSP_HOST_TENANTHost Tenant
MDSP_USER_TENANTUser Tenant
HOST_BASEDOMAIN(optional)The basedomain url for domains other than '*.mindsphere.io'

Environment Variables for Tenant Specific Technical Tokens¶

Environment VariableDescription
MINDSPHERE_CLIENT_IDClient ID of the service credentials
MINDSPHERE_CLIENT_SECRETClient secret of the service credentials
MINDSPHERE_TENANTTenant name
HOST_BASEDOMAIN(optional)The basedomain url only for domains other than '*.mindsphere.io'

Environment Variables for Tenant Specific Technical Tokens with Subtenant Impersonation¶

Environmental Variable NameDescription
MINDSPHERE_CLIENT_IDClient ID of the service credentials
MINDSPHERE_CLIENT_SECRETClient secret of the service credentials
MINDSPHERE_TENANTTenant name
MINDSPHERE_SUB_TENANTSubtenant name
HOST_BASEDOMAIN(optional)The basedomain url only for domains other than '*.mindsphere.io'

Here are some examples of how you can also pass these variables as parameters for authentication and token handling.

NOTE¶

host_domain is set to 'mindsphere.io' by default

eu1 domain¶
config = mindsphere_core.RestClientConfig(
    host_environment='eu1'
)
credentials = AppCredentials(
    app_name="myapp",
    app_version="v1.0.0",
    key_store_client_id="tenant1-myapp-v1.0.0",
    key_store_client_secret="abcdefghijklmnopqrstuvw123",
    host_tenant="tenant1",
    user_tenant="tenant1"
)
assetsClient = AssetsClient(rest_client_config=config, mindsphere_credentials=credentials)
eu2 domain¶
config = mindsphere_core.RestClientConfig(
    host_environment='eu2'
)
credentials = AppCredentials(
    app_name="myapp",
    app_version="v1.0.0",
    key_store_client_id="tenant1-myapp-v1.0.0",
    key_store_client_secret="abcdefghijklmnopqrstuvw123",
    host_tenant="tenant1",
    user_tenant="tenant1"
)
assetsClient = AssetsClient(rest_client_config=config, mindsphere_credentials=credentials)
private cloud domain¶

For domain "tenant1.abc.basedomain.xyz"

config = mindsphere_core.RestClientConfig(
    host_environment='abc',
    host_domain='basedomain.xyz'
)
credentials = AppCredentials(
    app_name="myapp",
    app_version="v1.0.0",
    key_store_client_id="tenant1-myapp-v1.0.0",
    key_store_client_secret="abcdefghijklmnopqrstuvw123",
    host_tenant="tenant1",
    user_tenant="tenant1"
)
assetsClient = AssetsClient(rest_client_config=config, mindsphere_credentials=credentials)