1. Token properties
    1. Token type
    2. Application name (String)
    3. Producer
  2. Worf User Guide
    1. Prerequisites
    2. Start
    3. Generate Configuration from standalone template
    4. Save defaults (uuid, application name)
    5. Encode token
    6. Decode token
    7. Quit


Warp 10™ entry points are based on bearer token authentication. Tokens are protected by a cryptographic envelope which ensures their integrity and authenticity. They are never stored in the Warp 10™ instance.

Token properties

All properties below are mandatory to deliver tokens. Learn more about the Access Control System here.

Token type

There are two basic types of tokens, write tokens for pushing data and read tokens for reading data.

Format: String Value: read or write

Application name (String)

Application provides a logical isolation of your data. Remember, the application name is encoded inside the token, keep it short.

Format: String


The producer has the responsibility of writing data on the platform for an application. Generally it is the application manager.

Format: UUID


The owner owns the data. This concept is useful for building data privacy systems. In most cases, owner and producer are identical.

Format: UUID

TTL (time to live)

Every token has an expiration date after which it is no longer valid. This allows to create short-lived tokens for performing specific manipulations, or also long-lived tokens to embed into devices.

Format: Long (milliseconds)

Worf User Guide

Used to generate read/write Warp 10™s tokens.


  • JVM 1.7 or upper
  • Warp 10™ full Jar
  • Warp 10™ configuration file


Launch Worf with this command line.

$ java -cp warp-full-<revision name>.jar io.warp10.worf.Worf  -i <path to Warp10 configuration file>

Worf loads the Warp 10™ configuration file and extracts hash and AES keys necessary for token delivery

  • Use <Tab> for the complete list of commands.
  • Use <Up or Down> for the commands history.

Two mode are available

  • interactive mode ( -i), prompts the user on the command line
  • scripting mode (default), all parameters should be set on the command line.

Generate Configuration from standalone template

java -cp warp-full-<revision name>.jar io.warp10.worf.Worf  -i /path/to/warp10.conf

Worf loads the Warp 10™ standalone template, generates hash and AES keys, writes it by default at the same path.

Save defaults (uuid, application name)

If you generate a configuration file and tokens in the same command (io.warp10.worf.Worf -t -a <name> -ttl 10000000 -puidg <template>) Worf can save a default configuration (..worf) at the same path. It contains:

  • the producer uuid
  • the owner uuid
  • the application name

These values are taken by default, with the interactive or scripting mode.

Encode token

You can encode tokens with the encodeToken command or -t option. You have to enter this following fields:

  1. token type (read or write)
  2. application name
  3. producer UUID
  4. owner UUID (enter for use producer UUID as Owner)
  5. time to live (in milliseconds)
  6. encode or cancel

You will have the following output

application name=test.application.name
producer & owner=4430fb04-ba03-11e5-ae25-535a84589344 & 4430fb04-ba03-11e5-ae25-535a84589344

You can use this token immediately on fetch, update or delete endpoints. The token identifier can be used for revoke this token by adding it inside a TRL (token revocation list)

Decode token

You can decode and print token properties (only available in interactive mode). You also can convert write tokens into read token with strictly the same properties (validity, application, owner & producer uuids).


No command history is stored by Worf.


Since Warp 10™ 1.2.2, a new TokenGen Worf command exists which uses the TOKENGEN function from io.warp10.script.ext.token.TokenWarpScriptExtension.

The TOKENGEN function only useable from Worf (needs a KeyStore).

Tokens are described as a WarpScript™ map.

it will execute the WarpScript™ code from in.mc2 and outputs the stack as JSON to out.json:

$ java -cp warp-full-<revision name>.jar io.warp10.worf.TokenGen /path/to/warp10.conf in.mc2 out.json

Example of in.mc2

  'id' 'nameoftoken'  // for bookkeeping purposes
  'type' 'READ'       // or 'WRITE'
  'application' 'app' // Name of applications for this token
  'owner' 'UUID'      // UUID of the data owner for WRITE tokens or the billed user for READ tokens
  'issuance' NOW      // Time of token issuance
  'expiry' NOW 30 d + // Time of token expiry
  'ttl' 300 d         // Time To Live of the token, use if not using 'expiry'
  'labels' {}         // Map of token labels
  'attributes' {}     // Map of token attributes
  // The following are only for READ tokens, can be omitted, the token is then considered a WildCard token.
  'owners' [ /* List of UUIDs */ ]
  'producers' [ /* List of UUIDs */ ]
  'applications' [ /* List of application names or regexps (if more than one) */ ]

Example of out.json

  "id" : "nameoftoken",   // Value of the ‘id’ field from the TOKENGEN parameter map
  "token" : "..." ,       // Encoded token
  "ident" : "hhhhhhhhhhhhhhhh" // TokenIdent, for use in Token Revocation List

Can use - for stdin / stdout:

$ java -cp warp-full-<revision name>.jar io.warp10.worf.TokenGen /path/to/warp10.conf - -