Balena OAuth API or other log in API

I’m working on building a mobile app that uses Balena’s APIs.

I’m wondering if there is a supported way to get an auth token for use with these APIs.

The auth documentation suggests having the user manually provide a session token or named API key, but this is a bit cumbersome in a mobile app.

So far I’ve been using an undocumented API to get a JWT:

This works, but it has a few downsides (beyond just being undocumented :wink:).

I think an OAuth API would be really nice for authentication with Balena. It would allow for a standards-based auth API and would ideally enable long-lived refresh tokens to keep the user logged in.

An OAuth password grant flow would be great, but a web-based OAuth authorization code flow with the PKCE extension might be even better for most public (especially third party) clients:

  • The user wouldn’t share credentials directly with the third party client
  • The user may already be logged into balena’s website (or use a browser’s password autofill)
  • Easier support for MFA and third party auth providers (GitHub or Google)

I’d love to hear if this is something that has been considered or is possibly on the road map.

cc @shaunmulligan



try to:

  • open from your app
  • let foobar to be your custom scheme, register it
  • user can login & click on the Authorize button

I just tested this approach and it works. The only thing you have to keep it in mind is that you have to change http (scheme) only. Otherwise it won’t work. The code is probably checking for the & /auth? Don’t know for sure. Sounds like a not very reliable way to me. Good as a start.

You can also inspect the source to check what we’re doing. With balena login, you can use credentials and they can be stored in the iOS keychain already. You can ask the keychain for the website password, can be autofilled.

Anyway, none of these things are officially supported (AFAIK) and we should wait for the @shaunmulligan answer.

@zrzka I had played a bit with this approach as well. It’s a good hack, but has similar downsides to the JWT API (mostly being undocumented and providing short-lived session tokens).

Thanks for confirming that it’s technically possible, though :slight_smile:

Hi Will,

We do have this as part of our roadmap. I can’t be specific in terms of any timeframe for this because, as far as I know, there was no work done yet. I can confirm though that this is something we do have on our radar and seeing more people interested in it, gives us an additional incentive. In order to track this activity, you can use a card we created in our public trello board:.

Hope this clarifies it a little,

1 Like

Hi Andrei,

Thanks for the reply – that’s great to hear it’s something that’s being considered.

I think I can use the solutions mentioned above in the meantime.