Use the Chrome Browser Enrollment Token API

Authorization

Authorization needed for accessing the Enrollment Token API is detailed in the Chrome Enterprise Core's Takeout API Service Script guide. Users need to follow the same steps from there to retrieve an access token.

ChromeEnrollmentToken

ChromeEnrollmentToken is a string used to identify the enrollment of a chrome browser.

Resource Representation

The following JSON template is used for ChromeEnrollmentToken resource in the Directory API:

{

"kind": "admin#directory#chromeEnrollmentToken",

"orgUnitPath": string,

"token": string,

"tokenPermanentId": string,

"customerId": string,

"orgUnitPath": string,

"state": enum {
    "active",

    "expired",

    "revoked",

}

"expiration": oneof {

    "expireTime": dateTime,

    "ttl": duration

  }

"creatorId": string,

"creationTime": dateTime,

"revokerId": string,

"revokeTime": dateTime,

"tokenType": enum {

    "chromeBrowser"

  }

}

Call the API

List all enrollment tokens for an account

To list all chrome enrollment tokens for an account on an organization unit, use the following GET request and include the access token obtained by following the "Authorization" section. 

Note: For readability, this code sample has line returns.

GET
https://www.googleapis.com/admin/directory/v1.1beta1/customer/
{my_customer|customerId}/chrome/enrollmentTokens?query=
{query_string}&pageSize={number_of_results_to_return}
&pageToken={page_token_from_previous_request}&orgUnitPath={/org-unit-path}

  • The customerId is a unique identifier of the customer's Google account.
  • When impersonating an account administrator, you can also use the string my_customer which represents your account's customerId. Another way to get the customerId value is to use the Retrieve a user operation. Use your administrator email address or your administrator unique user id value in the operation's userKey path parameter.

The following is a reference of all payload parameters that can be used in the request:

Parameter Required Type Description
orgUnitPath optional string Only list enrollment tokens created on a specific organization unit.  If this field is not specified, all enrollment tokens of this customer are listed.
pageSize optional int Maximum number of results to return. Maximum and default is 100.
pageToken optional string The pageToken query parameter is used to request the next page of query results. The follow-on request's pageToken query parameter is the nextPageToken from your previous response. Note: Requests with page_token field provided must have the same query and org_unit_path field value as the request that generated the page_token.
query optional string Search string to filter the listed tokens. The format of list page query language is described in the section below (Filter Query Language).

Example

An example request

GET https://www.googleapis.com/admin/directory/v1.1beta1/customer/my_customer/chrome/enrollmentTokens?pageSize=1&orgUnitPath=”/Org-unit-path”

JSON response

A successful request returns an HTTP 200 status code. Along with the status code, the response returns the Chrome Enrollment Token properties:

{
  kind: "admin#directory#chromeEnrollmentTokens",
  "chrome_enrollment_tokens": [
    {
      "tokenId": "token_id_value",
      "tokenPermanentId": "token_Permanent_id_value",
      "kind": "admin#directory#chromeEnrollmentToken",
      "orgUnitPath": "/Org-unit-path",
      "state": "active",
      "creator_id": “unique_id_of_user",
      "create_time": "2020-04-30T19:22:44Z",
      "tokenType": "chromeBrowser",
    }
  ],
  "nextPageToken": "abcdefghijkl123"
}

Filter Query Language

When using the "query" parameter in a list request, every term in the query must be matched in one of the following parameters in order for the results to be considered a match. You could specify that the returned tokens to be narrowed to match the field value on the term. If you specify no operators (fields) in the query, then the search will find all enrollment tokens.

For example, if your query is:
{URL}?query="device_type:CHROME_BROWSER+token_state:REVOKED",
this will return enrollment tokens like the following:

{
  "tokenId": "token_id_value",
  "tokenPermanentId": "token_Permanent_id_value",
  "kind": "admin#directory#chromeEnrollmentToken",
  "orgUnitPath": "/Org-unit-path",
  “tokenState”: “revoked”,
  “creatorId”: “unique_id_of_user”,
  "create_time": "2020-04-30T19:22:44Z",
  "tokenType": "chromeBrowser",
}

You can specify the following fields to target your search to specific field:

Field Description
device_type The device type the enrollment tokens are used for. Currently only CHROME_BROWSER is supported.
token_state The state of an enrollment token. Supported values are: REVOKED, ACTIVE, EXPIRED.

Create an enrollment token

To create a chrome enrollment token on an organization unit, use the following POST request and include the access token obtained by following the "Authorization" section.

Note: For readability, this code sample has line returns.

POST
https://www.googleapis.com/admin/directory/v1.1beta1/customer/
{my_customer|customerId}/chrome/enrollmentTokens

  • The customerId is a unique identifier of the customer's Google account.
  • When impersonating an account administrator, you can also use the string my_customer which represents your account's customerId. Another way to get the customerId value is to use the Retrieve a user operation. Use your administrator email address or your administrator unique user id value in the operation's userKey path parameter.

The following is a reference of all payload parameters that can be used in the request:

Parameter Required Type Description
expire_time optional string Expire time of the created enrollment token, in "yyyy-MM-ddThh:mm:ssZ" format. If this field is not specified, the enrollment token lives until  users revoke it.
org_unit_path optional string The organization unit to create an enrollment token for. If this field is not specified, the enrollment token is created for the root organization unit.
token_type required string Type of chrome device to create enrollment token for. Currently only “CHROME_BROWSER” is supported.
ttl optional string Life of the created enrollment token, encoded in seconds with an “s” suffix. Eg, for a token to live for 1 hour, this field should be set to “3600s”. If this field is not specified, the enrollment token lives until users revoke it.

Example

An example request

POST https://www.googleapis.com/admin/directory/v1.1beta1/customer/my_customer/chrome/enrollmentTokens
{
  "token_type": "CHROME_BROWSER",
  "org_unit_path": "/org-unit-path",
  "expire_time": "2021-04-30T19:22:44Z",
}

JSON response

A successful request returns an HTTP 200 status code. Along with the status code, the response returns the Chrome Enrollment Token properties:

{
  "tokenId": "token_id_value",
  "tokenPermanentId": "token_Permanent_id_value",
  "kind": "admin#directory#chromeEnrollmentToken",
  "orgUnitPath": "/Org-unit-path",
  "state": "active",
  "creatorId”: "unique_id_of_user",
  "create_time": "2020-04-30T19:22:44Z",
  "expire_time": "2021-04-30T19:22:44Z",
  "tokenType": "chromeBrowser",
}

Revoke an enrollment token

To revoke an enrollment token, use the following POST request and include the access token obtained by following the "Authorization" section. 

Note: For readability, this code sample has line returns.

POST
https://www.googleapis.com/admin/directory/v1.1beta1/customer/
{my_customer|customerId}/chrome/enrollmentTokens/{tokenPermanentId}:revoke

  • The customerId is a unique identifier of the customer's Google account.
  • When impersonating an account administrator, you can also use the string my_customer which represents your account's customerId. Another way to get the customerId value is to use the Retrieve a user operation. Use your administrator email address or your administrator unique user id value in the operation's userKey path parameter.
  • The tokenPermanentId is a unique identifier for an enrollment token, and is found in the “tokenPermanentId” field in the responses of a “List” or “Create”.

Example

An example request

POST https://www.googleapis.com/admin/directory/v1.1beta1/customer/my_customer/chrome/enrollmentTokens/token_permanent_id_value:revoke

JSON response

A successful request returns an HTTP 200 status code.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
13227036878406131163
true
Search Help Center
true
true
true
true
true
410864
false
false