How does a read-only token work
Revokable API tokens, known as read-only tokens, enable individuals who are not the owners of a wallet to access the wallet owner's data through the API Get endpoints and web-socket events. This is achieved by either initializing client in Read-Only mode - using the token instead of the private key - or by directly accessing the API endpoints with the token.
How to manage a read-only token
The wallet owner has the capability to generate a read-only token, granting read access to their data within the institution or to trusted users via sharing this token. A wallet owner can only have a single read-only token active at any given instance. This token remains valid as long as the owner manually chooses to revoke it at any time. Revocation is accomplished by generating a new token, rendering previous tokens invalid and denying access to the user's data.
Security
To be able to attain read-only access to wallet owner's data, the token's validity is checked. A revoked or invalid token is denied access. Since these tokens are unique 32-bit hash strings, each token represents an authenticated wallet owner in the system and the data pertaining that user will be returned in APIs when being accessed in read-only mode. Users are not permissioned to perform any actions with this token.