CesiumGS · ggetz · Mar 30, 2025 · Mar 14, 2025 · Mar 17, 2025 · Mar 19, 2025
diff --git a/Apps/Sandcastle/gallery/iModel Mesh Export Service.html b/Apps/Sandcastle/gallery/iModel Mesh Export Service.html
@@ -31,10 +31,13 @@
       window.startup = async function (Cesium) {
         "use strict";
         //Sandcastle_Begin
-        const serviceResponse = await fetch("https://api.cesium.com/itwin/token");
-        const { access_token: token } = await serviceResponse.json();
+        // Generate a share key for access to an itwin without oauth
+        // https://developer.bentley.com/apis/access-control-v2/operations/create-itwin-share/
+        Cesium.ITwinPlatform.defaultShareKey =
+          "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpVHdpbklkIjoiNTM1YTI0YTMtOWIyOS00ZTIzLWJiNWQtOWNlZGI1MjRjNzQzIiwiaWQiOiJmZTliOTgyMS0wYWI5LTQ4ZjItYmMzOC01NjQ5MTg5MDQyOTEiLCJleHAiOjE3NDQ5OTA2MjZ9.7bQIX32CGE4slLDPkOQZ4rRr4BqBSjbUOFAUvcdrFXE";
 
-        Cesium.ITwinPlatform.defaultAccessToken = token;
+        // If you do use oauth for user login set:
+        // Cesium.ITwinPlatform.defaultAccessToken = 'your token'
 
         // Set up viewer
         const viewer = new Cesium.Viewer("cesiumContainer", {

diff --git a/Apps/Sandcastle/gallery/iTwin Feature Service.html b/Apps/Sandcastle/gallery/iTwin Feature Service.html
@@ -29,10 +29,13 @@
       window.startup = async function (Cesium) {
         "use strict";
         //Sandcastle_Begin
-        const serviceResponse = await fetch("https://api.cesium.com/itwin/token");
-        const { access_token: token } = await serviceResponse.json();
+        // Generate a share key for access to an itwin without oauth
+        // https://developer.bentley.com/apis/access-control-v2/operations/create-itwin-share/
+        Cesium.ITwinPlatform.defaultShareKey =
+          "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpVHdpbklkIjoiMDRiYTcyNWYtZjNjMC00ZjMwLTgwMTQtYTQ0ODhjYmQ2MTJkIiwiaWQiOiI3ZDI2MTQ2YS1mMWE4LTRmYzYtODI5Ny05ODA4ZGRlZDdkOTciLCJleHAiOjE3NDQ5OTAzNzl9.w8B077BL6TJ8Ohit9Pzyw8DlqicKDVBMwgcE0ujLOBQ";
 
-        Cesium.ITwinPlatform.defaultAccessToken = token;
+        // If you do use oauth for user login set:
+        // Cesium.ITwinPlatform.defaultAccessToken = 'your token'
 
         const iTwinId = "04ba725f-f3c0-4f30-8014-a4488cbd612d";
 

diff --git a/packages/engine/Source/Core/ITwinPlatform.js b/packages/engine/Source/Core/ITwinPlatform.js
@@ -56,12 +56,48 @@ ITwinPlatform.RealityDataType = Object.freeze({
 /**
  * Gets or sets the default iTwin access token. This token should have the <code>itwin-platform</code> scope.
  *
+ * This value will be ignored if {@link ITwinPlatform.defaultShareKey} is defined.
+ *
  * @experimental This feature is not final and is subject to change without Cesium's standard deprecation policy.
  *
  * @type {string|undefined}
  */
 ITwinPlatform.defaultAccessToken = undefined;
 
+/**
+ * Gets or sets the default iTwin share key. If this value is provided it will override {@link ITwinPlatform.defaultAccessToken} in all requests.
+ *
+ * @experimental This feature is not final and is subject to change without Cesium's standard deprecation policy.
+ *
+ * @type {string|undefined}
+ */
+ITwinPlatform.defaultShareKey = undefined;
+
+/**
+ * Create the necessary Authorization header based on which key/token is set.
+ * If the {@link ITwinPlatform.defaultShareKey} is set it takes precedence and
+ * will be used regardless if the {@link ITwinPlatform.defaultAccessToken} is set
+ * @private
+ * @returns {string} full auth header with basic/bearer method
+ */
+ITwinPlatform._getAuthorizationHeader = function () {
+  //>>includeStart('debug', pragmas.debug);
+  if (
+    !defined(ITwinPlatform.defaultAccessToken) &&
+    !defined(ITwinPlatform.defaultShareKey)
+  ) {
+    throw new DeveloperError(
+      "Must set ITwinPlatform.defaultAccessToken or ITwinPlatform.defaultShareKey first",
+    );
+  }
+  //>>includeEnd('debug');
+
+  if (defined(ITwinPlatform.defaultShareKey)) {
+    return `Basic ${ITwinPlatform.defaultShareKey}`;
+  }
+  return `Bearer ${ITwinPlatform.defaultAccessToken}`;
+};
+
 /**
  * Gets or sets the default iTwin API endpoint.
  *
@@ -121,15 +157,20 @@ ITwinPlatform.apiEndpoint = new Resource({
 ITwinPlatform.getExports = async function (iModelId) {
   //>>includeStart('debug', pragmas.debug);
   Check.typeOf.string("iModelId", iModelId);
-  if (!defined(ITwinPlatform.defaultAccessToken)) {
-    throw new DeveloperError("Must set ITwinPlatform.defaultAccessToken first");
+  if (
+    !defined(ITwinPlatform.defaultAccessToken) &&
+    !defined(ITwinPlatform.defaultShareKey)
+  ) {
+    throw new DeveloperError(
+      "Must set ITwinPlatform.defaultAccessToken or ITwinPlatform.defaultShareKey first",
+    );
   }
   //>>includeEnd('debug')
 
   const resource = new Resource({
     url: `${ITwinPlatform.apiEndpoint}mesh-export`,
     headers: {
-      Authorization: `Bearer ${ITwinPlatform.defaultAccessToken}`,
+      Authorization: ITwinPlatform._getAuthorizationHeader(),
       Accept: "application/vnd.bentley.itwin-platform.v1+json",
       Prefer: "return=representation",
     },
@@ -213,15 +254,20 @@ ITwinPlatform.getRealityDataMetadata = async function (iTwinId, realityDataId) {
   //>>includeStart('debug', pragmas.debug);
   Check.typeOf.string("iTwinId", iTwinId);
   Check.typeOf.string("realityDataId", realityDataId);
-  if (!defined(ITwinPlatform.defaultAccessToken)) {
-    throw new DeveloperError("Must set ITwinPlatform.defaultAccessToken first");
+  if (
+    !defined(ITwinPlatform.defaultAccessToken) &&
+    !defined(ITwinPlatform.defaultShareKey)
+  ) {
+    throw new DeveloperError(
+      "Must set ITwinPlatform.defaultAccessToken or ITwinPlatform.defaultShareKey first",
+    );
   }
   //>>includeEnd('debug')
 
   const resource = new Resource({
     url: `${ITwinPlatform.apiEndpoint}reality-management/reality-data/${realityDataId}`,
     headers: {
-      Authorization: `Bearer ${ITwinPlatform.defaultAccessToken}`,
+      Authorization: ITwinPlatform._getAuthorizationHeader(),
       Accept: "application/vnd.bentley.itwin-platform.v1+json",
     },
     queryParameters: { iTwinId: iTwinId },
@@ -275,15 +321,20 @@ ITwinPlatform.getRealityDataURL = async function (
   Check.typeOf.string("iTwinId", iTwinId);
   Check.typeOf.string("realityDataId", realityDataId);
   Check.typeOf.string("rootDocument", rootDocument);
-  if (!defined(ITwinPlatform.defaultAccessToken)) {
-    throw new DeveloperError("Must set ITwinPlatform.defaultAccessToken first");
+  if (
+    !defined(ITwinPlatform.defaultAccessToken) &&
+    !defined(ITwinPlatform.defaultShareKey)
+  ) {
+    throw new DeveloperError(
+      "Must set ITwinPlatform.defaultAccessToken or ITwinPlatform.defaultShareKey first",
+    );
   }
   //>>includeEnd('debug')
 
   const resource = new Resource({
     url: `${ITwinPlatform.apiEndpoint}reality-management/reality-data/${realityDataId}/readaccess`,
     headers: {
-      Authorization: `Bearer ${ITwinPlatform.defaultAccessToken}`,
+      Authorization: ITwinPlatform._getAuthorizationHeader(),
       Accept: "application/vnd.bentley.itwin-platform.v1+json",
     },
     queryParameters: { iTwinId: iTwinId },

diff --git a/packages/engine/Source/Scene/ITwinData.js b/packages/engine/Source/Scene/ITwinData.js
@@ -160,6 +160,7 @@ ITwinData.createDataSourceForRealityDataId = async function (
   realityDataId,
   type,
   rootDocument,
+  // TODO: is there a nice-ish way to thread through custom access tokens per asset?
 ) {
   //>>includeStart('debug', pragmas.debug);
   Check.typeOf.string("iTwinId", iTwinId);
@@ -227,8 +228,13 @@ ITwinData.loadGeospatialFeatures = async function (
     Check.typeOf.number.lessThanOrEquals("limit", limit, 10000);
     Check.typeOf.number.greaterThanOrEquals("limit", limit, 1);
   }
-  if (!defined(ITwinPlatform.defaultAccessToken)) {
-    throw new DeveloperError("Must set ITwinPlatform.defaultAccessToken first");
+  if (
+    !defined(ITwinPlatform.defaultAccessToken) &&
+    !defined(ITwinPlatform.defaultShareKey)
+  ) {
+    throw new DeveloperError(
+      "Must set ITwinPlatform.defaultAccessToken or ITwinPlatform.defaultShareKey first",
+    );
   }
   //>>includeEnd('debug')
 
@@ -239,7 +245,7 @@ ITwinData.loadGeospatialFeatures = async function (
   const resource = new Resource({
     url: tilesetUrl,
     headers: {
-      Authorization: `Bearer ${ITwinPlatform.defaultAccessToken}`,
+      Authorization: ITwinPlatform._getAuthorizationHeader(),
       Accept: "application/vnd.bentley.itwin-platform.v1+json",
     },
     queryParameters: {

diff --git a/packages/engine/Specs/Core/ITwinPlatformSpec.js b/packages/engine/Specs/Core/ITwinPlatformSpec.js
@@ -7,13 +7,50 @@ import {
 
 describe("ITwinPlatform", () => {
   let previousAccessToken;
+  let previousShareKey;
   beforeEach(() => {
     previousAccessToken = ITwinPlatform.defaultAccessToken;
     ITwinPlatform.defaultAccessToken = "default-access-token";
+    previousShareKey = ITwinPlatform.defaultShareKey;
+    ITwinPlatform.defaultShareKey = undefined;
   });
 
   afterEach(() => {
     ITwinPlatform.defaultAccessToken = previousAccessToken;
+    ITwinPlatform.defaultShareKey = previousShareKey;
+  });
+
+  describe("_getAuthorizationHeader", () => {
+    it("rejects with no default access token or default share key set", async () => {
+      ITwinPlatform.defaultAccessToken = undefined;
+      ITwinPlatform.defaultShareKey = undefined;
+      expect(() =>
+        ITwinPlatform._getAuthorizationHeader(),
+      ).toThrowDeveloperError(
+        /Must set ITwinPlatform.defaultAccessToken or ITwinPlatform.defaultShareKey/,
+      );
+    });
+
+    it("uses default access token if default share key not set", () => {
+      ITwinPlatform.defaultAccessToken = "access-token";
+      ITwinPlatform.defaultShareKey = undefined;
+      const header = ITwinPlatform._getAuthorizationHeader();
+      expect(header).toEqual("Bearer access-token");
+    });
+
+    it("uses default share key if default access token not set", () => {
+      ITwinPlatform.defaultAccessToken = undefined;
+      ITwinPlatform.defaultShareKey = "share-key";
+      const header = ITwinPlatform._getAuthorizationHeader();
+      expect(header).toEqual("Basic share-key");
+    });
+
+    it("uses default share key even if default access token is set", () => {
+      ITwinPlatform.defaultAccessToken = "access-token";
+      ITwinPlatform.defaultShareKey = "share-key";
+      const header = ITwinPlatform._getAuthorizationHeader();
+      expect(header).toEqual("Basic share-key");
+    });
   });
 
   describe("getExports", () => {
@@ -30,12 +67,13 @@ describe("ITwinPlatform", () => {
       );
     });
 
-    it("rejects with no default access token set", async () => {
+    it("rejects with no default access token or default share key set", async () => {
       ITwinPlatform.defaultAccessToken = undefined;
+      ITwinPlatform.defaultShareKey = undefined;
       await expectAsync(
         ITwinPlatform.getExports("imodel-id-1"),
       ).toBeRejectedWithDeveloperError(
-        "Must set ITwinPlatform.defaultAccessToken first",
+        /Must set ITwinPlatform.defaultAccessToken or ITwinPlatform.defaultShareKey/,
       );
     });
 
@@ -142,12 +180,13 @@ describe("ITwinPlatform", () => {
       );
     });
 
-    it("rejects with no default access token set", async () => {
+    it("rejects with no default access token or default share key set", async () => {
       ITwinPlatform.defaultAccessToken = undefined;
+      ITwinPlatform.defaultShareKey = undefined;
       await expectAsync(
         ITwinPlatform.getRealityDataMetadata("itwin-id-1", "reality-data-id-1"),
       ).toBeRejectedWithDeveloperError(
-        "Must set ITwinPlatform.defaultAccessToken first",
+        /Must set ITwinPlatform.defaultAccessToken or ITwinPlatform.defaultShareKey/,
       );
     });
 
@@ -271,7 +310,7 @@ describe("ITwinPlatform", () => {
       );
     });
 
-    it("rejects with no default access token set", async () => {
+    it("rejects with no default access token or default share key set", async () => {
       ITwinPlatform.defaultAccessToken = undefined;
       await expectAsync(
         ITwinPlatform.getRealityDataURL(
@@ -280,7 +319,7 @@ describe("ITwinPlatform", () => {
           "root/document/path.json",
         ),
       ).toBeRejectedWithDeveloperError(
-        "Must set ITwinPlatform.defaultAccessToken first",
+        /Must set ITwinPlatform.defaultAccessToken or ITwinPlatform.defaultShareKey/,
       );
     });
 

diff --git a/packages/engine/Specs/Scene/ITwinDataSpec.js b/packages/engine/Specs/Scene/ITwinDataSpec.js
@@ -391,12 +391,13 @@ describe("ITwinData", () => {
       );
     });
 
-    it("rejects with no default access token set", async () => {
+    it("rejects with no default access token or default share key set", async () => {
       ITwinPlatform.defaultAccessToken = undefined;
+      ITwinPlatform.defaultShareKey = undefined;
       await expectAsync(
         ITwinData.loadGeospatialFeatures("itwin-id-1", "collection-id-1"),
       ).toBeRejectedWithDeveloperError(
-        "Must set ITwinPlatform.defaultAccessToken first",
+        /Must set ITwinPlatform.defaultAccessToken or ITwinPlatform.defaultShareKey/,
       );
     });