Skip to main content

Tutorial: Create Token URLs Using the Web API

Abstract

Create token URLs using the OpenVPN Access Server Web API. Generate secure links that allow users to download and import user-locked, auto-login, server-locked, and ePKI connection profiles into OpenVPN Connect.

Overview

This tutorial shows how to create token URLs using the Access Server Web API.

A token URL provides a secure, temporary link that allows users to download and import a connection profile directly into OpenVPN Connect. This can simplify profile distribution and onboarding by eliminating the need to manually download and import profile files.

Tip

This tutorial uses the sacli apicall command, but you can also use cURL or the Swagger UI. Refer to Tutorial: Test the New Web API (OpenAPI) in Access Server 3.0.

Prerequisites

  • Access Server 3.1.0 or newer.

  • Root privileges on your Access Server's console.

  • (Optional) A remote machine for running API calls.

Important

The API specification can change between Access Server versions. Verify the API specification for your version before using these commands.

Refer to: View the API specification.

Step 1: Generate a token URL

  1. Connect to the console and get root privileges.

  2. Run one of the following commands based on the profile type you want to generate.

User-locked profile

sacli --method POST --url 'api/token-url' --value '{"profile_type":"userlogin", "username": "<USER_NAME>"}' apicall

Auto-login profile

sacli --method POST --url 'api/token-url' --value '{"profile_type":"autologin", "username": "<USER_NAME>"}' apicall

Important

Auto-login profiles require the user to have auto-login permission, either assigned directly or inherited through a group. By default, auto-login permission is disabled.

Server-locked profile

sacli --method POST --url 'api/token-url' --value '{"profile_type":"generic", "username": "<USER_NAME>"}' apicall

Generic ePKI profile

sacli --method POST --url 'api/token-url' --value '{"profile_type":"epki-generic", "username": "<USER_NAME>"}' apicall

Note

ePKI profile types can only be used when Access Server is configured for ePKI mode.

Auto-login ePKI profile

sacli --method POST --url 'api/token-url' --value '{"profile_type":"epki-autologin", "username": "<USER_NAME>"}' apicall

Note

ePKI profile types can only be used when Access Server is configured for ePKI mode.

Result

The API returns a token URL similar to the following:

"openvpn://import-profile/https://192.0.2.2/rest/GetProfileViaToken?token=Q3nY2St5T9jMHUAcX9aDUPPvDIzamD6s"

Open the URL on a device with OpenVPN Connect installed to automatically import the connection profile.

The imported profile type matches the option selected when generating the token URL.

In this section:
See also:

A file with the information for a VPN client to securely connect to Access Server.

The VPN client app to connect to Access Server.