Authentication and Authorization
Last updated
Was this helpful?
Last updated
Was this helpful?
When building an application with CARTO for React, we can classify authentication and authorization in two structures:
Public applications: The user does not need to log into the application. Access to data is provided through an API Access Token.
Private applications: Requires that the end user performs a login using their CARTO credentials.
To create a public application, you'll need to:
Obtain an API Access Token with access to all the data sources you want to use in your application.
Learn how to using CARTO Workspace.
You can also prototype a Builder map with all the sources and as your API Access Token.
Introduce the token in the application config (src/store/initialStateSlice.js) and remove the OAuth section.
The file src/store/initialStateSlice.js will look like this, and your application will be public to anyone accessing it.
Create a new SPA OAuth Client with the URL https://127.0.0.1:3000
Copy the Client ID and introduce it at src/store/initialStateSlice.js.
When you have everything configured, the first screen for your application will be the following:
When your users click on the Login with CARTO button, the authentication protocol will start and your users will need to login using their CARTO credentials and allow access to the application. When the protocol finishes, a new access token with the required scopes will be sent. This access token will be used to access the data sources in the application, unless specific credentials are provided.
To do so, obtain your SSO Organization ID from our Support team and introduce it at src/store/initialStateSlice.js here:
Here's a video that shows the experience for new users in your app once SSO and Just-in-time provisioning have been enabled and configured in your application.
If you are using the CARTO 2 platform, the process is slightly different.
If you want to create a public application, you can make the datasets public in the CARTO 2 Dashboard and then you can use the default_public API key when providing the credentials for accessing the dataset.
If you need to create a private application, you have two options:
Generate an API key with access (read) to the datasets.
Use OAuth for authentication.
This is the traditional (legacy) way of working with private applications in the CARTO 2 platform. You need to generate an API key in the CARTO 2 Dashboard with access (read/select) to your datasets. After you have generated the API key, you introduce this API key in the initial state slice.
If you are using API keys, you need to implement your own authentication mechanism if you want to restrict access. Anyone can read your API key from the JavaScript source and you are potentially exposing more information than you want to.
OAuth scopes are used to specify what permissions will users have to give to the application. For example, datasets:r:table_name will grant read access to the table table_name.
The workflow is:
You login with the desired scopes.
You get an API_KEY (token) to call CARTO APIs but restricted to the requested scopes.
Then, you need to edit the src/store/initialStateSlice.js file and modify the clientId property in the oauthInitialState object. You can also modify the scopes property to specify what permissions you want to give the application.
If you want to force authentication in your application, so no unauthenticated users can access, you need to set the forceOAuthLogin property to true in the initialState object within the src/store/appSlice.js file. When you activate this flag, the first screen for your application will be the following:
When your users click on the Login with CARTO button, the OAuth protocol flow will start and your users will be asked to allow access to their CARTO account.
Once the OAuth flow has been completed and the user has given consent to your application to access their CARTO account, you can obtain user credentials like this:
This credentials object can be used, for instance, when using a data source from a view:
The credentials object contains the username and the API key, so you can use them to call any of the CARTO REST APIs endpoints.
If you are building a private application, you first need to create a and get a Client ID:
Go to the section inside CARTO Workspace
If you have enabled a integration and your users are authenticating to CARTO through your own Identity Provider (IdP), you can leverage the SSO setup in your CARTO for React private application.
If you have enabled in CARTO Workspace, the latest version of src/hooks/Auth0.ts contains the necessary changes to provide a seamless first-time experience for new users that didn't exist previously in CARTO.
CARTO 2 supports to communicate with CARTO 2 REST APIs. OAuth is the preferred method to manage credentials, so we recommend you use this protocol for implementing authentication & authorization in your applications.
The first step you need to perform is to go to your CARTO 2 Dashboard and create a new OAuth app as described in the , in order to get the clientID for your application.
If your dataset is private and you want other users in your organization to be able to access it, you need to share it with them using the option in the dashboard.
If you just want to restrict access to some application features, you can use the component. This will display a popup with the implicit OAuth flow.
You can also use these credentials to call directly to our APIs from your models. You have an example of this in the provided with the sample app template.
