Appearance
Authentication
The Space API uses token-based authentication to control access to floor plans and related resources. Different token types are available depending on your use case:
- Publishable tokens for public resources in frontend applications
- Secret tokens for backend integrations with full API access
- Temporary tokens for secure frontend access to private resources
- OAuth 2.0 tokens for standardized authorization flows
Scopes
Space API V2 supports the following scopes:
| Scope | Description |
|---|---|
floor:readPublic | Read public floor resources |
floor:readPrivate | Read private floor resources |
floor:queryPublic | List and read public floor resources |
floor:queryPrivate | List and read private floor resources |
floor:update | Update floor or layout |
floor:export | Export floor |
floor:archive | Archive floors |
customAttributes:read | Read custom attribute definitions |
customAttributes:write | Create/Update/Delete custom attributes definitions |
customAttributeValues:readPublic | Read custom attributes values of public floors |
customAttributeValues:readPrivate | Read custom attributes values of private floors |
customAttributeValues:write | Create/Update/Delete custom attributes values |
extension:create | Create extensions |
extension:update | Update extensions |
extension:query | Query extensions |
extension:delete | Delete extensions |
Publishable Access Token
Publishable tokens restrict which domains can display public floors. Safe to expose in frontend code.
Scopes
Publishable access tokens support only the following scopes:
floor:readPublicfloor:queryPubliccustomAttributes:readcustomAttributeValues:readPublic
Generate
Generate on the access tokens page (100 token limit).
Usage
Supply in the pubtoken query parameter:
bash
# You need to supply a domain allowed for this token as origin to simulate a browser environment
curl -H "Origin: ${ORIGIN}" \
"https://api.archilogic.com/v2/floor/${FLOOR_ID}?pubtoken=${PUBLISHABLE_TOKEN}"INFO
Publishable tokens for the 3D Embed API should allow the viewer.archilogic.com domain.
Secret Access Token
Secret tokens provide full API access with all scopes. Use only in backend applications and keep secure.
Generate
Generate on the access tokens page (100 token limit).
Usage
Supply in the Authorization header as a Bearer token:
bash
curl -H "Authorization: Bearer ${SECRET_TOKEN}" \
"https://api.archilogic.com/v2/floor/${FLOOR_ID}"Temporary Access Token
Generate short-lived tokens server-side for secure frontend access to private resources without exposing secret tokens.
Your backend requests a temporary token using your secret token, then provides this temporary token to your frontend for secure API access.
Generate
Create temporary tokens using your secret token.
Method:
POST
https://api.archilogic.com/v2/temporary-access-token/create
Parameters:
JSON object in the body of the request with the following properties:
scopes{ScopeDefiniton[]}- Array of scope definitions (must be subset of secret token's scopes)
tsx
type ResourceScope = 'floor'
type ActionScope =
| 'archive'
| 'queryPublic'
| 'queryPrivate'
| 'readPrivate'
| 'readPublic'
| 'write'
interface ScopeDefinition {
resource: ResourceScope
action: ActionScope
}durationSeconds{number}- Token validity in seconds (15 min - 1 day, default: 1 hour)
Returns:
JSON with the following properties:
authorization{string}- Bearer token for Authorization headerexpiresAt{number}- Unix timestamp when token expires
Example API call:
bash
curl -X POST \
-H "Authorization: Bearer ${SECRET_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"scopes": [{"resource": "floor", "action": "readPrivate"}], "durationSeconds": 3600}' \
"https://api.archilogic.com/v2/temporary-access-token/create"Example response:
json
{
"authorization": "Bearer XlqHBdUIOF46ah...",
"expiresAt": 1616079083
}Usage
Supply in the Authorization header as a Bearer token:
bash
curl -H "Authorization: Bearer ${TEMPORARY_TOKEN}" \
"https://api.archilogic.com/v2/floor/${FLOOR_ID}"Example App
Access Private Models with the Floor plan engine and Temporary Access Tokens
OAuth 2.0 Access Tokens
OAuth 2.0 tokens provide the same capabilities as secret tokens through standardized authorization flows.
See the OAuth 2.0 guide for implementation details.