AppToken not working, workflow not helping


I have created a basic app token and am trying to start a session based upon it but receive the “SERVICE_FORBIDDEN” code. I am not sure if it is my tokenhash or the token itself that is incorrect. When I try to use the ‘App Token Authentication’ workflow I get to step 2 but do not seem able to generate a hash it just gives me a next button which takes me to step 3:

I am using an ETL tool to generate the hash so not sure it is correct. Could someone provide me with a hashed and unhashed string so I can make sure what I am generating is correct?

Also here is my token (id, token and partnerId replaced) should I be able to generate a session from this or do I need to provide privileges and a userid?

“id”: “1_5555aa444”,
“token”: “h534o3ybbretu34iuy553ehuite43”,
“partnerId”: 9999999,
“createdAt”: 1627298165,
“updatedAt”: 1627298165,
“status”: 2,
“expiry”: 1629972884,
“sessionType”: 0,
“sessionDuration”: 300,
“hashType”: “SHA256”,
“description”: “Dan test Token”,
“objectType”: “KalturaAppToken”

Hi @DanP ,

I think actual code samples will be easier to follow in this case (rather than these guided “wizards”).
Please see a full Python implementation example in this post:

As you can see, the token hash should be generated thusly:

tokenHash = hashlib.sha256(result.ks.encode('ascii')+token.encode('ascii')).hexdigest()

In other words, the KS you generated by calling:

result = client.session.startWidgetSession(widgetId, expiry);

Concatenated with the token value (not ID), without any separators in between, hashed using the hashing algo of choice (defined when creating the appToken object), which, according to your output, is SHA256.

Of course, the same could be implemented in any language.

Do let me know should you have additional questions.


Thanks @jess

So my token looks OK? there must be an issue with my SHA256 hash. Could you please provide me with an example ks + token and the resultant hash so I can check the output from my routine is matching it?

Many thanks

Hi @DanP ,

Please provide your full code (masking the token value as this is a public forum) and I will review it.


Hi @jess

Sorry I have no code as I am running this through an ETL tool with a hash step. I provide it with a string and pick the hash type and it returns the hashed value. I am not sure this is returning the value expected by the API though just wanted to eliminate this before looking at my token.

Many thanks

Hi @DanP ,

As per my first reply, you need to call session.startWidgetSession(), get a KS and concatenate that to the value of the token and then generate a hash out of that. So, be it from your ETL system or otherwise, you must first make this API request.

By token value, I mean the KalturaAppToken.token member, which you get when calling appToken.get().


Hi @jess

Thanks for the quick response and sorry I should have included more info to start with. My ETL tool is successfully starting a widget session, I am taking the widget KS and concatenating the value to my KalturaAppToken.token value and passing it through the ETL hash step but get the service forbidden error when I try to call appToken.startSession or enter the values in the workflow. So I am guessing that there is either something wrong with the SHA256 hash coming out of the ETL tool or my token.
I am just getting one of our programmers to knock up the hash logic in a JAVA class and send me the output to compare with my ETL tool.
Sorry but I don’t have any development tools installed on my managed laptop.


Hi @DanP,

One thing I can think of is that perhaps, your ETL tool is upper-casing the hashed string. If so, this needs to be fixed.
You could also try to take a KS generated by calling session.startWidgetSession() and manually produce the hash using an online hashing interface. Here’s one that doesn’t uppercase, which you can use SHA256 Hash Generator Online (check the lowercase option) and then hard code it in the ETL proc just to see if that works.

Hi @jess
Thanks I have tried the online hash generator and also our programmer got back to me and both the # values supplied match the one generated from the ETL tool. I have again tried to call the appToken.startSession API but still get the SERVICE_FORBIDDEN error. I am supplying the, the hash calculated as discussed and my email as the user id. I think the issue must be my token and my lack of knowledge of permissions. I want to create a token which will allow access to the API’s and if possible get and list API’s only.


Hi @DanP ,

Please send me a private message with the KS, the token value and your hash. I will check that they are all correct.


Hi @jess

Sorry not sure how to send you a private message.


Hi Dan,

You can send private messages via the forum but I also sent you an email.


This was resolved. Because I was trying to set the minimum privileges I created my token up as user and it should have been admin.