The Node-RED admin API is secured using the adminAuth
property in your settings.js
file. The security section describes how that property
should be configured.
If that property is not set the Node-RED admin API is accessible to anyone with network access to Node-RED.
An HTTP GET to /auth/login
returns the active authentication scheme.
curl http://localhost:1880/auth/login
In the current version of the API, there are two possible results:
{}
All API requests can be made without providing any further authentication information.
The API is secured by an access token.
An HTTP POST to /auth/token
is used to exchange user credentials for an access
token.
The following parameters must be provided:
client_id
- identifies the client. Currently, must be either node-red-admin
or node-red-editor
.grant_type
- must be password
scope
- a space-separated list of permissions being requested. Currently, must be either *
or read
.username
- the username to authenticatepassword
- the password to authenticatecurl http://localhost:1880/auth/token --data 'client_id=node-red-admin&grant_type=password&scope=*&username=admin&password=password'
If successful, the response will contain the access token:
All subsequent API calls should then provide this token in the Authorization
header.
curl -H "Authorization: Bearer A_SECRET_TOKEN" http://localhost:1880/settings
To revoke the token when it is no longer required, it should be sent in an HTTP
POST to /auth/revoke
:
curl --data 'token=A_SECRET_TOKEN' -H "Authorization: Bearer A_SECRET_TOKEN" http://localhost:1880/auth/revoke
Node-RED: Low-code programming for event-driven applications.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy