Authorization
Introduction
There are two ways to authorize your use of the Niantic Spatial Platform through NSDK, depending on your use case:
- [Coming Soon] Access tokens: You want to develop, prototype, or run an application with a small team or group of testers. You issue a long-lived access token from the Scaniverse web portal and include it directly in your application build. Access tokens issued through the web portal are given a developer-defined lifespan of up to a year. No backend server is required.
- Production applications: You are building a production app for a broad user base and need to integrate your own identity system with a secure backend for token management. You create one or more service accounts through the Scaniverse web portal associated with sets of users or organizations, and stand up a backend that processes client-side authentication to grant short-lived access tokens to authenticated users.
The following table summarizes these approaches:
| Approach | Best for | Who handles tokens | What you need | Notes |
|---|---|---|---|---|
| Access tokens | Development, prototyping, internal testing | Developer embeds a token into the app build | Scaniverse account, Access token | Token is embedded in the app binary and scoped to the developer's account. Suitable for development, demos, and evaluation. |
| Production applications | Public releases, multi-user apps | Your backend server issues tokens per user | Scaniverse account, Service account, backend server | Tokens are short-lived, scoped per user, and never embedded in the client. Suitable for custom authentication in deployed apps |
Start with an access token to get up and running quickly. Move to production application authorization when you are ready to distribute your app to end users or need per-user access control.
Access tokens
[Coming Soon] An access token lets you authorize NSDK without a backend server or login flow. You generate the token on the Scaniverse web portal, then include it in your application build. All NSDK API calls made by that build inherit the access of the developer that issues the access token.
Access tokens are a good fit when:
- You are developing or prototyping and want to test NSDK features quickly.
- You are running a demo for stakeholders or a small group of testers.
- You do not need distinct permissions or asset access for different users.
- You do not have backend infrastructure available.
Because the token is embedded in the application binary, every user of that build shares the same identity and the same level of access.
The Scaniverse web portal provides tools to manage access tokens, such as setting an expiration date, revoking or rotating tokens, and viewing the last usage of the token.
How it works
- Log in to the Scaniverse web portal with your developer account.
- Generate an access token from the portal.
- Add the token to your application's configuration or build settings.
- The NSDK uses this token to authorize all API requests.
No login screen, callback handling, or token refresh logic is required in your application code.
When to move to production authorization
Consider moving to production application authorization when:
- You are distributing your app outside of a trusted group.
- Different users need different levels of access to assets or services.
- You want to enforce per-user token expiration and revocation.
- You need to avoid embedding long-lived credentials in your app binary.
Production applications
For production apps, implement a secure backend token flow to manage NSDK access. Your backend uses a service account API key to request short-lived access tokens from the Niantic Spatial Identity Service and delivers them to the client. This enables per-user authorization with scoped permissions, so different users of your app can have different levels of access to assets and services.
Production application authorization is the recommended approach for any app distributed beyond a trusted group, because access tokens embedded in client binaries can be extracted and misused.
How it works
To set up an application for handling production authorization, integrate the service account flow across your client and backend. This will allow the use of custom authentication and Niantic Spatial service accounts to provide user-scoped, short-lived access to Niantic Spatial services:
| Step | Actor | Action |
|---|---|---|
| 1 | User | Logs in to your app using your user management system. |
| 2 | Client app | Requests an access token from your backend. |
| 3 | Developer backend | Uses a service account to request a short-lived access token from the Niantic Spatial Identity Service. |
| 4 | Developer backend | Returns the access token to the client app. |
| 5 | Client app | Uses the access token with NSDK features to access Niantic Spatial services. |
The following diagram demonstrates the auth flow for setting up production authorization:
Benefits
- Per-user access control: Each user authenticates through your system, and your backend can issue tokens with different scopes and permissions.
- Short-lived tokens: Access tokens expire in an hour and must be refreshed through your backend, limiting the impact of a compromised token.
- No embedded secrets: API keys and long-lived credentials stay on your server and are never distributed to clients.
- Scalable multi-user support: Your backend handles token lifecycle for all users of your app.
Passing access tokens to the NSDK
Both access tokens issued from Scaniverse and exchanged from the Niantic Spatial Identity Service use the same NSDK APIs:
Pass the access token when you create your NSDK session:
Set the access token through the NSDK settings:
using NianticSpatial.NSDK.AR.Loader;
NsdkSettingsHelper.ActiveSettings.AccessToken = "YOUR_ACCESS_TOKEN";
Replace YOUR_ACCESS_TOKEN with the token from the Scaniverse web portal or from your production backend. For complete project setup instructions, see Setting Up the Niantic SDK.
Next steps
- Using service accounts — How to create service accounts, request tokens, and manage token lifecycle from your backend.
- Client code integration — How to set, validate, and refresh access tokens in Swift, Kotlin, and Unity apps.