Skip to content

Authentication

The Space API uses token-based authentication to control access to floor plans and related resources. Different token types are available depending on your use case:

Scopes

Space API V2 supports the following scopes:

ScopeDescription
floor:readPublicRead public floor resources
floor:readPrivateRead private floor resources
floor:queryPublicList and read public floor resources
floor:queryPrivateList and read private floor resources
floor:updateUpdate floor or layout
floor:exportExport floor
floor:archiveArchive floors
customAttributes:readRead custom attribute definitions
customAttributes:writeCreate/Update/Delete custom attributes definitions
customAttributeValues:readPublicRead custom attributes values of public floors
customAttributeValues:readPrivateRead custom attributes values of private floors
customAttributeValues:writeCreate/Update/Delete custom attributes values
extension:createCreate extensions
extension:updateUpdate extensions
extension:queryQuery extensions
extension:deleteDelete extensions

Publishable Access Token

Publishable tokens restrict which domains can display public floors. Safe to expose in frontend code.

Scopes

Publishable access tokens support only the following scopes:

  • floor:readPublic
  • floor:queryPublic
  • customAttributes:read
  • customAttributeValues:readPublic

Generate

Generate on the access tokens page (100 token limit).

Usage

Supply in the pubtoken query parameter:

bash
# You need to supply a domain allowed for this token as origin to simulate a browser environment
curl -H "Origin: ${ORIGIN}" \
  "https://api.archilogic.com/v2/floor/${FLOOR_ID}?pubtoken=${PUBLISHABLE_TOKEN}"

INFO

Publishable tokens for the 3D Embed API should allow the viewer.archilogic.com domain.

Secret Access Token

Secret tokens provide full API access with all scopes. Use only in backend applications and keep secure.

Generate

Generate on the access tokens page (100 token limit).

Usage

Supply in the Authorization header as a Bearer token:

bash
curl -H "Authorization: Bearer ${SECRET_TOKEN}" \
  "https://api.archilogic.com/v2/floor/${FLOOR_ID}"

Temporary Access Token

Generate short-lived tokens server-side for secure frontend access to private resources without exposing secret tokens.

Your backend requests a temporary token using your secret token, then provides this temporary token to your frontend for secure API access.

Generate

Create temporary tokens using your secret token.

Method:

POST

https://api.archilogic.com/v2/temporary-access-token/create

Parameters:

JSON object in the body of the request with the following properties:

  • scopes {ScopeDefiniton[]} - Array of scope definitions (must be subset of secret token's scopes)
tsx
type ResourceScope = 'floor'

type ActionScope =
  | 'archive'
  | 'queryPublic'
  | 'queryPrivate'
  | 'readPrivate'
  | 'readPublic'
  | 'write'

interface ScopeDefinition {
  resource: ResourceScope
  action: ActionScope
}
  • durationSeconds {number} - Token validity in seconds (15 min - 1 day, default: 1 hour)

Returns:

JSON with the following properties:

  • authorization {string} - Bearer token for Authorization header
  • expiresAt {number} - Unix timestamp when token expires

Example API call:

bash
curl -X POST \
  -H "Authorization: Bearer ${SECRET_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"scopes": [{"resource": "floor", "action": "readPrivate"}], "durationSeconds": 3600}' \
  "https://api.archilogic.com/v2/temporary-access-token/create"

Example response:

json
{
  "authorization": "Bearer XlqHBdUIOF46ah...",
  "expiresAt": 1616079083
}

Usage

Supply in the Authorization header as a Bearer token:

bash
curl -H "Authorization: Bearer ${TEMPORARY_TOKEN}" \
  "https://api.archilogic.com/v2/floor/${FLOOR_ID}"

Example App

Access Private Models with the Floor plan engine and Temporary Access Tokens

OAuth 2.0 Access Tokens

OAuth 2.0 tokens provide the same capabilities as secret tokens through standardized authorization flows.

See the OAuth 2.0 guide for implementation details.