• 16 September 2021
  • 1 reply

Badge +1

Users use an installation link to install the plugin. How do I get an access token to use for the REST API?

The SDK only offers `miro.getIdToken`, but not an accessToken.


Use Case

I have a plugin that can drag & drop elements into the Miro board. Users can purchase additional elements to drop. Therefore, I have a backend that keeps track of user purchases.

  1. Web SDK initializes plugin.
  2. I use `miro.getToken()` (deprecrated) in the Web SDK to retrieve a token.
  3. I make an API call to the backend, using this token.
  4. My backend uses https://api.miro.com/v1/users/me to retrieve the e-mail address.
  5. I cross-reference the e-mail with the purchases in the web-shop to unlock purchased products for this user (*)

With the deprecation of `getToken()`, I cannot access the REST API anymore. The new idToken returns 401 Unauthorized.

*) Actually ​​​​​​, this is a bit different, but doesn't matter for this context.

1 reply

Userlevel 4
Badge +6

H @Mark Marijnissen ,


It is not possible to get the access_token from the Web SDK using getIdToken anymore. The Web SDK doesn’t have direct access to the token anymore, this was a security issue that we had to fix. The JWT contains user id, client id, team id, and other information but not access_token. If you use the REST API you have to obtain access token via oauth2 flow: user authorizes an app -> Miro redirects the user to the backend of application (using the OAuth URL in app settings), the backend of the app gets a user code and can exchange it to get the user’s access_token. You can then save this access_token and use it for API calls later on. This process is explained in our Authorization documentation. This step can be perform the first time someone authorize your application (first time they use it). 


getIdToken is used for the main use-case:

  • App has both a frontend (Web SDK) and a backend server.
  • The Frontend (Web SDK) sends a request to the backend of the application, SDK part calls getIdToken and sends it with all requests to the backend of an app, it gives the ability to the backend to validate that a request comes from the app, plus it gives information about user id (so the app can retrieve the user access token and perform the needed task).