Authenticating API requests.
Please note that the OntoPop backend open-source software project, which includes the event-driven data pipelines and APIs, is undergoing extensive redesign and refactoring as part of OntoPop Community 3.x in order to improve performance, security, extensibility and maintainability. As a result, the documentation on this page will be significantly updated. Please refer to the OntoPop Roadmap for further information.
OntoPop provides native out-of-the-box support for authenticating applications accessing the OntoPop APIs via API Keys. To use OntoPop's native API Key-based API authentication mechanism, it must be explicitly enabled via the application context configuration, specifically in the
OntoPop Community 2.x only supports the management of API Keys using the secrets engine configured in the
security.secrets configuration namespace (for example HashiCorp Vault, AWS Secrets Manager or Azure Key Vault).
Note that API Keys alone are not considered best-practice in terms of securing APIs given their propensity to appear in query string parameters and log files. If you are deploying OntoPop to a production environment, it is strongly recommended that you implement additional security measures to secure the OntoPop APIs, including but not limited to OAuth and JSON Web Tokens (JWT).
OntoPop manages API Keys using the following schema:
|The API Key itself that client applications must include in the X-API-Key request header.
|The date and time (UTC) that the API Key was issued, in
|The date and time (UTC) that the API Key will expire, in
|The name of the API Key issuer.
|The name of the client application.
|Whether this API Key is enabled.
|A set of roles associated with this API Key for the purposes of authorization. Please see API Authorization for further details.
Example API Key
Provided below is an example API Key that is issued to a client application:
"issuer": "HyperLearning AI",
"client": "Test App",
If OntoPop's native API Key-based API authentication is enabled, then client applications must include the API Key that they have been issued in the X-API-Key request header.
Assuming that an API Key has been included in the X-API-Key request header, OntoPop will perform the following ordered actions to authenticate the client application:
- Check whether the provided API Key exists in the configured secrets engine. OntoPop will look for a secret that has the same name as the API Key
keyproperty prefixed with
- If it does not exist, then a HTTP 401 Unauthorized response status will be returned to the client application.
- If it does exist, then check whether the API Key is enabled, and that its expiration date has not passed. If either of these checks fail, then a HTTP 401 Unauthorized response status will be returned to the client. If both of these checks pass, then OntoPop will examine the roles that are associated with the API Key to authorize the request. Please see API Authorization for further details.