Webtask

Documentation

HTTP API: Inspecting Webtask Tokens

Inspect existing webtask tokens and obtain the embedded secrets and code

For customized documentation and ready to run samples, please log in.

The webtask token inspect endpoint is used to inspect an existing webtask token. The request provides the authenticating webtask token A1 in the headers and the token for inspectionA2 in the query parameters.

Inspecting tokens is useful when you are storing derived tokens on behalf of your users in a multi-tenant setup. Inspecting tokens provides a mechanism to securely inspect the code and/or secrets that are embedded in a webtask that would otherwise be impossible to determine.

HTTPS GET /api/tokens/inspect?token=<A2_TOKEN>
Authorization: Bearer <A1_TOKEN>

The A2 token that is being inspected must have been created using the A1 token that is being used to authenticate the token inspection call. Furthermore, theA1 token cannot have either the urlor ectx claims set.

Fetch code

When inspecting a webtask token with fixed code , the fetch_code query parameter can be set to true in order to resolve any stored code before sending the response. The webtask's code will be available in the code property of the response body.

Decrypt secrets

When inspecting a webtask token with encrypted secrets , the decrypt query parameter can be set to true in order to decrypt any secrets before sending the response. The decrypted secrets will be available in the secrets property of the response body as a javascript object mapping secret names to their values.