You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: MyApp/_pages/auth/apikeys.md
+7-23Lines changed: 7 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,24 +2,13 @@
2
2
title: API Keys
3
3
---
4
4
5
-
As we continue to embrace and natively integrate with ASP.NET Core's .NET 8 platform, we've reimplemented the last
6
-
major feature missing from ServiceStack Auth - support for API Keys that's available from **ServiceStack v8.3**.
7
-
8
-
:::warning API Key Feature Vulnerability
9
-
**ServiceStack v8.7+** resolves a vulnerability we've discovered in the management APIs of this API Keys feature, if using API Keys please upgrade as soon as possible.
10
-
:::
11
-
12
-
### What are API Keys?
13
-
14
-
API Keys are a simple and effective way to authenticate and authorize access to your APIs, which are typically used
15
-
for machine-to-machine communication, where a client application needs to access an API without user intervention.
5
+
API Keys are a simple and effective way to authenticate and authorize access to your APIs, which are typically used for machine-to-machine communication, where a client application needs to access an API without user intervention.
16
6
API Keys are often used to control access to specific resources or features in your API, providing a simple way
17
7
to manage access control.
18
8
19
9
### Redesigning API Keys
20
10
21
-
Building on our experience with API Keys in previous versions of ServiceStack, we've taken the opportunity to redesign
22
-
how API Keys work to provide a more flexible and powerful way to manage access control for your APIs.
11
+
Building on our experience with API Keys in previous versions of ServiceStack, we've taken the opportunity to redesign how API Keys work to provide a more flexible and powerful way to manage access control for your APIs.
23
12
24
13
The existing [API Key Auth Provider](https://docs.servicestack.net/auth/api-key-authprovider) was implemented as
25
14
another Auth Provider that provided another way to authenticate a single user. The consequences of this was:
@@ -43,7 +32,7 @@ where the new `ApiKeysFeature` is now just a plugin instead of an Auth Provider,
43
32
Auth Apps with:
44
33
45
34
:::sh
46
-
x mix apikeys
35
+
npx add-in apikeys
47
36
:::
48
37
49
38
Which will add the API Keys [Modular Startup](https://docs.servicestack.net/modular-startup) to your Host project, a minimal example of which looks like:
@@ -91,8 +80,7 @@ if (feature.ApiKeyCount(db) == 0)
91
80
92
81
### Basic Usage
93
82
94
-
With the plugin registered, you can now use the `ValidateApiKey` attribute to limit APIs to only be accessible with a
95
-
valid API Key, e.g:
83
+
With the plugin registered, you can now use the `ValidateApiKey` attribute to limit APIs to only be accessible with a valid API Key, e.g:
96
84
97
85
```csharp
98
86
[ValidateApiKey]
@@ -101,15 +89,11 @@ public class MyRequest {}
101
89
102
90
### Use API Keys with our without Users and Authentication
103
91
104
-
API Keys can optionally be associated with a User, but they don't have to be, nor do they run in the context of a User
105
-
or are able to invoke any Authenticated APIs on their own. Users who create them can also limit their scope to only
106
-
call APIs they have access to, which can be done with user-defined scopes:
92
+
API Keys can optionally be associated with a User, but they don't have to be, nor do they run in the context of a User or are able to invoke any Authenticated APIs on their own. Users who create them can also limit their scope to only call APIs they have access to, which can be done with user-defined scopes:
107
93
108
94
### Scopes
109
95
110
-
Scopes are user-defined strings that can be used to limit APIs from only being accessible with API Keys that have the
111
-
required scope. For example, we could create generate API Keys that have **read only**, **write only** or **read/write**
112
-
access to APIs by assigning them different scopes, e.g:
96
+
Scopes are user-defined strings that can be used to limit APIs from only being accessible with API Keys that have the required scope. For example, we could create generate API Keys that have **read only**, **write only** or **read/write** access to APIs by assigning them different scopes, e.g:
113
97
114
98
```csharp
115
99
publicstaticclassScopes
@@ -502,4 +486,4 @@ Or use a different HTTP Header by configuring `ApiKeysFeature.HttpHeader`, e.g:
0 commit comments