• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Verifying API Access Permissions
2
3## When to Use
4
5To protect sensitive data and eliminate security threads on core abilities, you can use the permissions in the [Application Permission List](permission-list.md) to protect the related API from unauthorized calling. Each time before the API is called, a permission verification is performed to check whether the caller has the required permission.
6
7## Available APIs
8
9The table below lists only the API used in this guide. For more information, see [Application Access Control](../reference/apis/js-apis-abilityAccessCtrl.md).
10
11| API                                                      | Description                                            |
12| ------------------------------------------------------------ | --------------------------------------------------- |
13| verifyAccessToken(tokenID: number, permissionName: string): Promise<GrantStatus> | Checks whether an application process has the specified permission.|
14
15
16## Example
17
18The procedure is as follows:
19
201. Obtain the caller's identity (**tokenId**).
21
22   > **NOTE**<br>
23   > Use **getCallingTokenId** to obtain the caller's **tokenId**. For details, see [RPC](../reference/apis/js-apis-rpc.md#getcallingtokenid8).
24
252. Determine the permission to verify, which is **ohos.permission.PERMISSION** in this example.
26
273. Call **verifyAccessToken()** to perform a permission verification of the caller.
28
294. Proceed based on the permission verification result.
30
31```js
32  import abilityAccessCtrl from '@ohos.abilityAccessCtrl'
33  import rpc from '@ohos.rpc'
34
35  class Stub extends rpc.RemoteObject {
36      onRemoteRequest(code, data, reply, option) {
37          let callerTokenId = rpc.IPCSkeleton.getCallingTokenId();
38          console.log("RpcServer: getCallingTokenId result: " + callerTokenId);
39          var atManager = abilityAccessCtrl.createAtManager();
40          var result = await atManager.verifyAccessToken(tokenID, "ohos.permission.PERMISSION");
41          if (result == abilityAccessCtrl.GrantStatus.PERMISSION_GRANTED) {
42            // Allow the caller to invoke the API provided by the app.
43          } else {
44            // Deny the caller's access to the API.
45          }
46          return true;
47      }
48  }
49
50```
51