The Node-RED admin API is secured using the
adminAuth property in your
file. The security section describes how that property
should be configured.
If that property is not set (nor the deprecated
httpAdminAuth property), the
Node-RED admin API is accessible to anyone with network access to Node-RED.
An HTTP GET to
/auth/login returns the active authentication scheme.
In the current version of the API, there are two possible results:
All API requests can be made without providing any further authentication information.
The API is secured by access token.
An HTTP POST to
/auth/token is used to exchange user credentials for an access
The following parameters must be provided:
client_id- identifies the client. Currently, must be either
grant_type- must be
scope- a space-separated list of permissions being requested. Currently, must be either
username- the username to authenticate
password- the password to authenticate
curl http://localhost:1880/auth/token --data 'client_id=node-red-admin&grant_type=password&scope=*&username=admin&password=password'
If successful, the response will contain the access token:
All subsequent API calls should then provide this token in the
curl -H "Authorization: Bearer A_SECRET_TOKEN" http://localhost:1880/settings
To revoke the token when it is no longer required, it should be sent in an HTTP
curl --data 'token=A_SECRET_TOKEN' -H "Authorization: Bearer A_SECRET_TOKEN" http://localhost:1880/auth/revoke