I’m working on building a mobile app that uses Balena’s APIs.
I’m wondering if there is a supported way to get an auth token for use with these APIs.
The auth documentation suggests having the user manually provide a session token or named API key, but this is a bit cumbersome in a mobile app.
So far I’ve been using an undocumented API to get a JWT: https://api.balena-cloud.com/login_
This works, but it has a few downsides (beyond just being undocumented ).
I think an OAuth API would be really nice for authentication with Balena. It would allow for a standards-based auth API and would ideally enable long-lived refresh tokens to keep the user logged in.
An OAuth password grant flow would be great, but a web-based OAuth authorization code flow with the PKCE extension might be even better for most public (especially third party) clients:
- The user wouldn’t share credentials directly with the third party client
- The user may already be logged into balena’s website (or use a browser’s password autofill)
- Easier support for MFA and third party auth providers (GitHub or Google)
I’d love to hear if this is something that has been considered or is possibly on the road map.