Welcome to the Treehouse Community
The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.
Alx KiPython Web Development Techdegree Graduate 14,810 Points
My token changes each time I click Send
For some reason when I do same as Kenneth Love did on 10:00, returned token changes every time I click Send button.
Chris HowellPython Web Development Techdegree Graduate 49,610 Points
Hi Alexey Kislitsin
So you will notice that initially he sent a GET request to /api/v1/users/token right?
You will want to take note of what he is doing at about 1:38s mark.
First he sends a POST using Basic Auth. This basically is emulation the submission of a Form, like a "Login Form" on a website. When he Sends you will notice he gets his proper JSON response back and in PostMan you will notice at the 1:48s mark. To the right of the Username field it says in small writing, The authorization header will be generated and added as a custom header. Which you can later see around the 9:40s mark when he changes the value of what Authorization key is holding from Basic .... to Token. When he hit send on that Basic style it auto generated those headers.
Soon after he switches to No Auth and changes Basic to Token and the API is set to look for Token auth first and fall back to Basic.
Tokens are meant to be generated on the fly. Each request sent They are meant to be encrypted so they are difficult or impossible to break but they need to be able to be encrypted the same way so that even though they tokens are different they have a way to be compared/validated without being able to decrypt them. If that makes sense? This makes them pretty secure as long as no one can get a hold of your token :)
Now the reason Kenneths was staying the same around 10min mark. He was using No Auth and he was explicitly passing the head Auth Token with the request it was not being generated again.
Does this help at all?