When a user want to edit or preview a file for example, it access an url on your app. This URL will always be completed with a token allowing you to verify the user identity.

POST api/v1/core/token
Request
{
    "token": ""
}
Response
{
    "workspace_id": "",
    "group_id": "",
    "user_id": "",
    "app_id": ""
}

You MUST verify this token because if you dont, anybody can access the data provided by your app.