How do you identify caller when using Hosted service

When you make a call to a hosted service method you need to provide a user token to check caller permissions, which back endless does automatically.

However inside the call I want to use the identity, can I get the identity from the token used or am I going to need to have a have a userId parameter on every hosted call to identify the user. This user ID would need to remain protected from all other users in the system so that no one else can impersonate them, unless there is a way to resolve a user token back to a user account.

I was thinking that some users might be able to enumerate other users to share data, so protecting the userID might be difficult and not secure way of proving the callers identity.

Whats the back endless recommended way to do this?

Ian,

When a logged in user calls your hosted service, their user-token is sent to Backendless. Before the control is passed to your service, we convert the token to a valid userId which is available in your hosted service via com.backendless.servercode.InvocationContext.getUserId(). Is this what you’re looking for?

Regards,
Mark

That was exactly what I was looking for. Searched high and low in docs, but could not find that info, so thank you.

You are welcome. It is actually documented here: https://backendless.com/documentation/api-engine/apieng_invocation_context.htm