The Node-RED admin API is secured using the
adminAuth property in your
file. The security section describes how that property
should be configured.
If that property is not set the Node-RED admin API is accessible to anyone with network access to Node-RED.
An HTTP GET to
/auth/login returns the active authentication scheme.
In the current version of the API, there are two possible results:
All API requests can be made without providing any further authentication information.
The API is secured by access token.
An HTTP POST to
/auth/token is used to exchange user credentials for an access
The following parameters must be provided:
client_id- identifies the client. Currently, must be either
grant_type- must be
scope- a space-separated list of permissions being requested. Currently, must be either
username- the username to authenticate
password- the password to authenticate
curl http://localhost:1880/auth/token --data 'client_id=node-red-admin&grant_type=password&scope=*&username=admin&password=password'
If successful, the response will contain the access token:
All subsequent API calls should then provide this token in the
curl -H "Authorization: Bearer A_SECRET_TOKEN" http://localhost:1880/settings
To revoke the token when it is no longer required, it should be sent in an HTTP
curl --data 'token=A_SECRET_TOKEN' -H "Authorization: Bearer A_SECRET_TOKEN" http://localhost:1880/auth/revoke