Channel access token is a way to authenticate a user who has permission to use a channel to send a LINE message.
There are three types of channel access tokens, short-lived, long-lived, and user-specified expiration. In this post, we will demonstrate how to get these tokens with Python examples.
Short-lived channel access token
A short-lived channel access token is valid for 30 days. This method is an easier way to get the access token compared with user-specified one. It’s also more secure since we need to re-authenticate periodically to get a new token, which protects against the risk of the leaked access token.
First, we need to get the Channel ID and Channel Secret for accessing the oauth endpoint. We store those in keys.py,
CHANNEL_ID = "<your_channel_id>"
CHANNEL_SECRET = "<your_channel_secret>"Next, we write a client to issue the token from the given endpoint.
Long-lived channel access token
This is the easiest way to get an access token, you don’t even need to implement a token client. Go to your LINE Developer Console and select your Messaging API channel, then choose Messaging API tab and issue a long-lived channel access token. Next, store the token somewhere safe, then you can start using LINE messaging API.
User-specified channel access token
This is the most secure way to get a channel access token since we authenticate with JWT instead of channel secret, which also means it is more complex to implement. It’s also recommended way by LINE officials. A user-specified token allows us to specify the expiration time of a token (up to 30 days).
There are three main steps to issuing a user-specified token.
1. Create an Assertion Signing Key
First of all, we need to use JWK standard to create a pair of public and private key.
Run this program, you will get a private key and public key. Copy the public key then go to LINE Developer Console and select Basic Settings tab. Click Register a public key and paste the generated public key. Press the Register button, after that, you will see your Assertion Signing Key displayed. Copy the Assertion Signing Key and generated private key, add them to keys.py.
ASSERTION_SIGNING_KEY = "<your_assertion_signing_key>"
PRIVATE_KEY = <your_private_key_dict>2&3. Create a JWT and Issue user-specified channel access token
We combine these two steps to a token client. Start by generating a JWT, a few things we need to do:
- Assign the Assertion Signing Key to
kidheader parameter. - Use channel id for
issandsubclaims. - Set the expiration time of JWT, 30 mins is maximum.
- Set the expiration time of a channel access token, up to 30 days.
- Sign your JWT with the generated private key.
After that, use the JWT to issue a channel access token from oauth endpoint. Run this program, you will get the channel access token and start using it with any Messaging API endpoints!
Conclusion
The long-lived token is the easiest way to implement. You can directly develop your LINE bot without suffering from writing programs for authentication. The short-lived and user-specified are more complex to implement but also more secure since you frequently re-request a new token which prevents the risk of the leaked token. However, with these two ways, you may also need to consider how to handle the gap period between old and new tokens, so your service won’t be interrupted unexpectedly. For example, store the access token in a Memcache server with a shorter expiration time, and request a new token when it expires.
You can find a complete example here. If you have any questions or thoughts please feel free to leave a message.
