4
0

api_keys.adoc 3.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566
  1. [#api-keys]
  2. = API Keys
  3. This page is for **developers** who want to call OliveTin's HTTP API (Connect RPC under `/api/`) using a **Bearer token**, without using the interactive web login.
  4. API keys are configured on xref:security/local.adoc[local users] as an optional `apiKey` field. When present, clients can authenticate by sending:
  5. ----
  6. Authorization: Bearer <your-api-key>
  7. ----
  8. The prefix `Bearer ` (including the trailing space after `Bearer`) must match exactly.
  9. == Configuration
  10. include::partial$config-start.adoc[]
  11. ----
  12. authLocalUsers:
  13. enabled: true
  14. users:
  15. - username: automation
  16. usergroup: bots
  17. apiKey: "{{ .Env.OLIVETIN_AUTOMATION_KEY }}"
  18. - username: alice
  19. usergroup: admins
  20. password: $argon2id$v=19$m=65536,t=4,p=6$...
  21. apiKey: "{{ .Env.OLIVETIN_ALICE_API_KEY }}"
  22. ----
  23. * Use a **long, random** API key (similar to any other bearer secret).
  24. * Prefer loading the key from the environment with `{{ .Env.VAR }}` instead of committing the raw value to disk.
  25. * **TLS**: send bearer tokens only over HTTPS in real deployments.
  26. * **Interactive login**: if a user has **no** `password` configured, they **cannot** use the `/login` page; they can only authenticate with an API key (or another auth mechanism you configure separately).
  27. Two local users **must not** share the same `apiKey` value. OliveTin will refuse to start if duplicate keys are detected.
  28. == Authorization (permissions)
  29. API key authentication uses the same **username** and **usergroup** as the matching local user. xref:security/acl.adoc[Access Control Lists] and `defaultPermissions` apply in the same way as for users who sign in via the web UI.
  30. == Example: curl and Init
  31. The OliveTin API is **Connect RPC**. Unary calls accept JSON bodies. The following example calls `Init` with an empty request object:
  32. [source,bash]
  33. ----
  34. curl -sS -X POST \
  35. -H "Authorization: Bearer YOUR_API_KEY_HERE" \
  36. -H "Content-Type: application/json" \
  37. "https://olivetin.example.com:1337/api/olivetin.api.v1.OliveTinApiService/Init" \
  38. --data '{}'
  39. ----
  40. Replace the host, port, and path prefix if your installation differs. Other RPCs use the same URL pattern with a different final segment (method name).
  41. == Operational security notes
  42. * **Reverse proxies**: if you use xref:security/trusted_header.adoc[Trusted Header Authorization], remember it is evaluated **before** bearer API keys. Do not expose OliveTin in a way that allows clients to spoof trusted identity headers.
  43. * **Debug logging**: avoid enabling `logDebugOptions.singleFrontendRequestHeaders` in production. OliveTin redacts common sensitive headers (including `Authorization`) in debug output, but minimizing debug surface area is still recommended.
  44. * **Brute force**: OliveTin does not ship per-IP rate limiting for failed bearer attempts. Consider rate limiting or WAF rules on `/api/` at your reverse proxy.
  45. == See also
  46. * xref:security/local.adoc[Local Users Authorization] (password hashing and local user basics)
  47. * xref:security/acl.adoc[Access Control Lists]