Accessing Storage with monday-code apps SDK using client's sessionToken

monday Apps & Developers
, , , , ,
1

Hello Community,

I hope this message finds you well.

I’m currently working on a project where I need to access Storage from the backend on behalf of the user. The sessionToken is captured in an Item View Context when the user click to sends a request to the backend.

Allow me to provide some context and share what I have attempted so far:

Frontend Code (client-side Item view):

monday.get('sessionToken').then((token) => { 
  // send token to backend
}

Backend Request Handling Code (backend server):

import { Storage } from '@mondaycom/apps-sdk';


jwt.verify(token.data, MY_CLIENT_SECRET, (err, decoded) => {
    if (err) {
        // Handle token verification error
    }
 
    // token verified
    const storage = new Storage(token.data);
    const storageItem = await storage.get(KEY, options);
    console.log(storageItem);
    // log output
    /*{
       success: true,
       error: 'You need to log in or sign up before continuing.'
    }*/

});

Questions:

  1. Is it feasible to access storage from the Monday.com SDK using a session token obtained during an Item View interaction?

  2. Are there specific limitations or considerations regarding the usage of sessionTokens for storage operations?

  3. What is the difference between this auth approach, and using the shortLivedToken in the integration trigger flow?

I’m eager to understand whether the current approach is technically feasible and if there are any best practices or guidelines I should follow.

Thank you for your time and expertise!

Best regards,

1 Like
2

The sessionToken does not contain an API token so it cannot be used for calls to monday.com. What the sessionToken is used for, is providing something signed with your apps signing secret to your backend to enable your front end to access your backend without requiring your users to login to the backend in your client-side app. It is not an access token to connect to the monday.com platform.

You will instead need to get and store an OAuth token in your backend, this is the access token you’ll need to perform storage operations, after you use the sessionToken to authenticate the request from your front end to your back end.

Short lived tokens from the integration trigger flow, are embedded in a JWT - the JWT is used to authenticate the request from monday, and the shortLivedToken in the JWT is used as your access token to monday. sessionToken is much like the JWT but doesn’t have a shortLivedToken in it.

3 Likes