What’s the recommended workflow for using Cesium within a team environment?
Do all team members need to generate their own access tokens, or is it best practice to share a single token? If sharing is possible, what’s the correct way to do it?
We’re currently running into issues where imagery loads correctly for one person but not for another. When troubleshooting, the error message says the token isn’t linked to the user’s account.
Is the only viable solution for everyone to use a shared account and token?
The answer really depends on the needs of your application. The simplest approach - not necessarily the best - is to embed a token in your project / application that has access to all of the Cesium ion assets that are need by that project / application. Only the person that originally sets this up needs to have access to the Cesium ion account. This is the purpose of the “Project Default Token” that you can configure by clicking the Tokens button on the Cesium panel. There is no need to be signed into the same Cesium ion in the Editor UI in order to access assets that this token is authorized to access. However, you won’t be able to browse assets or use other features of the Cesium panel in this scenario. If you need to add a new Cesium ion asset to the project, you’ll need to get the person who controls the Cesium ion account to do it.
An improvement on this is to use a Cesium ion Team to allow multiple people access to a single ion account that controls the token used by your application. This way everyone can log in, add new assets, authorize the application’s token to access new assets, etc. With this approach, everyone can log into the team, and all the Cesium panel features will work well for everyone.
Teams work well from a workflow perspective, but may still not be right for all applications. The really important thing to understand is that the “Project Default Token” is embedded in your application. This means that anyone with access to a built copy of the application can, in theory, extract that token and use it to access any assets that the token allows access to. If someone steals your token and starts running up your Cesium ion account’s quotas, your options are limited. You can revoke the token, but that will break your application, too.
To avoid this, you might be able to use your application’s existing authorization mechanism, if you have one. It’s common for a Cesium for Unreal application to require users to log into the application itself using their own credentials. If your application has something like this, you can provide an authenticated, back-end service that allows the application to get the Cesium ion token. This way, only authorized users (not just anyone with the application) can access the token. Even better, you can periodically rotate the Cesium ion token over to a new one, further minimizing the potential for abuse.