Authorization
Authorization needed for accessing the Enrollment Token API is detailed in the Chrome Enterprise Core's Takeout API Service Script guide. Users need to follow the same steps from there to retrieve an access token.
ChromeEnrollmentToken
ChromeEnrollmentToken is a string used to identify the enrollment of a chrome browser.
Resource Representation
The following JSON template is used for ChromeEnrollmentToken resource in the Directory API:
{
"kind": "admin#directory#chromeEnrollmentToken",
"orgUnitPath": string,
"token": string,
"tokenPermanentId": string,
"customerId": string,
"orgUnitPath": string,
"state": enum {
"active",
"expired",
"revoked",
}
"expiration": oneof {
"expireTime": dateTime,
"ttl": duration
}
"creatorId": string,
"creationTime": dateTime,
"revokerId": string,
"revokeTime": dateTime,
"tokenType": enum {
"chromeBrowser"
}
}
Call the API
List all enrollment tokens for an account
To list all chrome enrollment tokens for an account on an organization unit, use the following GET request and include the access token obtained by following the "Authorization" section.
Note: For readability, this code sample has line returns.
GET
https://www.googleapis.com/admin/directory/v1.1beta1/customer/
{my_customer|customerId}/chrome/enrollmentTokens?query=
{query_string}&pageSize={number_of_results_to_return}
&pageToken={page_token_from_previous_request}&orgUnitPath={/org-unit-path}
- The customerId is a unique identifier of the customer's Google account.
- When impersonating an account administrator, you can also use the string my_customer which represents your account's customerId. Another way to get the customerId value is to use the Retrieve a user operation. Use your administrator email address or your administrator unique user id value in the operation's userKey path parameter.
The following is a reference of all payload parameters that can be used in the request:
| Parameter | Required | Type | Description |
|---|---|---|---|
| orgUnitPath | optional | string | Only list enrollment tokens created on a specific organization unit. If this field is not specified, all enrollment tokens of this customer are listed. |
| pageSize | optional | int | Maximum number of results to return. Maximum and default is 100. |
| pageToken | optional | string | The pageToken query parameter is used to request the next page of query results. The follow-on request's pageToken query parameter is the nextPageToken from your previous response. Note: Requests with page_token field provided must have the same query and org_unit_path field value as the request that generated the page_token. |
| query | optional | string | Search string to filter the listed tokens. The format of list page query language is described in the section below (Filter Query Language). |
Example
An example request
GET https://www.googleapis.com/admin/directory/v1.1beta1/customer/my_customer/chrome/enrollmentTokens?pageSize=1&orgUnitPath=”/Org-unit-path”
JSON response
A successful request returns an HTTP 200 status code. Along with the status code, the response returns the Chrome Enrollment Token properties:
{
kind: "admin#directory#chromeEnrollmentTokens",
"chrome_enrollment_tokens": [
{
"tokenId": "token_id_value",
"tokenPermanentId": "token_Permanent_id_value",
"kind": "admin#directory#chromeEnrollmentToken",
"orgUnitPath": "/Org-unit-path",
"state": "active",
"creator_id": “unique_id_of_user",
"create_time": "2020-04-30T19:22:44Z",
"tokenType": "chromeBrowser",
}
],
"nextPageToken": "abcdefghijkl123"
}
Filter Query Language
When using the "query" parameter in a list request, every term in the query must be matched in one of the following parameters in order for the results to be considered a match. You could specify that the returned tokens to be narrowed to match the field value on the term. If you specify no operators (fields) in the query, then the search will find all enrollment tokens.
For example, if your query is:
{URL}?query="device_type:CHROME_BROWSER+token_state:REVOKED",
this will return enrollment tokens like the following:
{
"tokenId": "token_id_value",
"tokenPermanentId": "token_Permanent_id_value",
"kind": "admin#directory#chromeEnrollmentToken",
"orgUnitPath": "/Org-unit-path",
“tokenState”: “revoked”,
“creatorId”: “unique_id_of_user”,
"create_time": "2020-04-30T19:22:44Z",
"tokenType": "chromeBrowser",
}
You can specify the following fields to target your search to specific field:
| Field | Description |
|---|---|
| device_type | The device type the enrollment tokens are used for. Currently only CHROME_BROWSER is supported. |
| token_state | The state of an enrollment token. Supported values are: REVOKED, ACTIVE, EXPIRED. |
Create an enrollment token
To create a chrome enrollment token on an organization unit, use the following POST request and include the access token obtained by following the "Authorization" section.
Note: For readability, this code sample has line returns.
POST
https://www.googleapis.com/admin/directory/v1.1beta1/customer/
{my_customer|customerId}/chrome/enrollmentTokens
- The customerId is a unique identifier of the customer's Google account.
- When impersonating an account administrator, you can also use the string my_customer which represents your account's customerId. Another way to get the customerId value is to use the Retrieve a user operation. Use your administrator email address or your administrator unique user id value in the operation's userKey path parameter.
The following is a reference of all payload parameters that can be used in the request:
| Parameter | Required | Type | Description |
|---|---|---|---|
| expire_time | optional | string | Expire time of the created enrollment token, in "yyyy-MM-ddThh:mm:ssZ" format. If this field is not specified, the enrollment token lives until users revoke it. |
| org_unit_path | optional | string | The organization unit to create an enrollment token for. If this field is not specified, the enrollment token is created for the root organization unit. |
| token_type | required | string | Type of chrome device to create enrollment token for. Currently only “CHROME_BROWSER” is supported. |
| ttl | optional | string | Life of the created enrollment token, encoded in seconds with an “s” suffix. Eg, for a token to live for 1 hour, this field should be set to “3600s”. If this field is not specified, the enrollment token lives until users revoke it. |
Example
An example request
POST https://www.googleapis.com/admin/directory/v1.1beta1/customer/my_customer/chrome/enrollmentTokens
{
"token_type": "CHROME_BROWSER",
"org_unit_path": "/org-unit-path",
"expire_time": "2021-04-30T19:22:44Z",
}
JSON response
A successful request returns an HTTP 200 status code. Along with the status code, the response returns the Chrome Enrollment Token properties:
{
"tokenId": "token_id_value",
"tokenPermanentId": "token_Permanent_id_value",
"kind": "admin#directory#chromeEnrollmentToken",
"orgUnitPath": "/Org-unit-path",
"state": "active",
"creatorId”: "unique_id_of_user",
"create_time": "2020-04-30T19:22:44Z",
"expire_time": "2021-04-30T19:22:44Z",
"tokenType": "chromeBrowser",
}
Revoke an enrollment token
To revoke an enrollment token, use the following POST request and include the access token obtained by following the "Authorization" section.
Note: For readability, this code sample has line returns.
POST
https://www.googleapis.com/admin/directory/v1.1beta1/customer/
{my_customer|customerId}/chrome/enrollmentTokens/{tokenPermanentId}:revoke
- The customerId is a unique identifier of the customer's Google account.
- When impersonating an account administrator, you can also use the string my_customer which represents your account's customerId. Another way to get the customerId value is to use the Retrieve a user operation. Use your administrator email address or your administrator unique user id value in the operation's userKey path parameter.
- The tokenPermanentId is a unique identifier for an enrollment token, and is found in the “tokenPermanentId” field in the responses of a “List” or “Create”.
Example
An example request
POST https://www.googleapis.com/admin/directory/v1.1beta1/customer/my_customer/chrome/enrollmentTokens/token_permanent_id_value:revoke
JSON response
A successful request returns an HTTP 200 status code.