To ensure that all requests for server data be performed by an authorized user, the OAS Web HMI Script Library attaches an authentication token to each request. This token is generated by the Open Automation Software Server when provided a valid credential.

The token will expire after a period of disuse, or when the Open Automation Software Server is restarted, so it should be generated dynamically when a page is initially accessed. Options for generating the token are:

  • Other Web Technologies
  • Client-Side Authentication
  • Java Script Authentication


When a page is initially rendered a call can be made to the OASConfig library to create the token, which can then be embedded in the page header. Within .NET MVC, this authentication call can be made in template code to embed a WebHMI token, or within a controller for accessing OAS data directly or for providing client script access to an authentication token.


Dim un as String = "YourUserName"
Dim pw as String = "YourPassword"
Dim config as new OASConfig.Config()
Dim token as String = config.GetToken(un, pw)
Dim url as String = "http://yourserver:port"
ClientScriptManager.RegisterStartupScript(Me.GetType(), _
    "OASWebToken", _
    "OAS_config = {token:'" + token + "','" + url + "'};", _


string un = "YourUserName";
string pw = "YourPassword";
OASConfig.Config config = new OASConfig.Config();
string token = config.GetToken(un, pw);
string url = "http://yourserver:port";
    "OAS_config = {token:'" + token + "','" + url + "'};", 

The credential used could be taken directly from the user’s login within your application, or it could be a standard credential established on the server for all users.

Other Web Technologies

Similar to ASP.NET or .NET MVC, it is recommended that the authentication token be generated on the server so that credentials are not passed from client to server, and are only exchanged in server-to-server communication.

For non-.NET technologies, you can use the API to make an authentication call to the Open Automation Software Server.

Client-Side Authentication

If you are operating within a secure network, and are not concerned about passing credentials between clients and the Open Automation Software Server, you can perform the authentication from within client script.

The following Javascript code will perform the server authentication and then begin refreshing the page with server data:


Java Script Authentication

In javascript, code can kick off an authentication by just calling the following:


What happens

In context, the steps would be as follows:

  1. Collect some credentials on the client, this can be from a form, or from any other client script
  2. Call OAS.authenticate() using those credentials
  3. The OAS Service will validate the credential and return a token, which will then be applied and used for all subsequent callbacks from the client library.
  4. If you wish to cache this token on the client, you can get it from the OAS.token property, and then use it on other screens in the OAS_config settings so there’s no need to call OAS.authenticate again when switching pages or screens.


Here’s an example in javascript which does all of this. The do_authentication function would be called on a login form that contains username and password fields.

<script type="text/javascript">
      OAS_config = {
            serverURL: 'http://localhost:58725',
            refresh_callback: update_local
      function update_local(data){
            // this function is called on every server callback
            if (OAS.token != OAS_config.token) {
                  // the authentication token has been updated
                  // you can now use the token for all subsequent pages within a session
                  OAS_config.token = OAS.token;
      function do_authentication() {
            var un = $("#username").val();
            var pw = $("#password").val();
            OAS.authenticate(un, pw);