Configure API Keys

VaultCode exposes a REST API to interact with it. This guide explains how to restrict access to the REST API using API keys.

API keys protect only the /v1/upload_execution_code and /v1/execution endpoints. If you want to protect all endpoints, consider using JWTs.

Configure

In the application-xyz.yml configuration file, the vaultcode.apiAuthentication section contains the relevant definitions. Fill them out according to your needs, and then load the edited application-xyz.yml to the container.

vaultcode:
  # Other lines omitted

  # Define API keys that clients should pass in the "X-API-KEY" header.
  apiAuthentication:
    enabled: true
    executeToken: "my-exec-secret" # Access to /v1/execution
    loadExecutionCodeToken: "my-upload-secret" # Access to /v1/upload_execution_code

Test

When making requests to the REST API, pass the configured API key in the X-API-KEY HTTP header field. For details, see the linked tutorials.

To upload a JAR (full tutorial):

JAR=/path/to/code.jar
curl "https://demo-vaultcode.securosys.com/api/v1/upload_execution_code" --header "X-API-KEY: my-exec-secret" --form "file=@${JAR};type=application/java-archive"

To execute the JAR (full tutorial):

INPUT=$(echo -n "foo" | base64)
curl "https://demo-vaultcode.securosys.com/api/v1/execute" --header "X-API-KEY: my-upload-secret" --json '{ "executeRequest": { "input": "'$INPUT'", "timeout": "30s" } }'

You can verify that requests without a correct X-API-KEY header field are now rejected:

{"errorCode":631,"reason":"res.error.invalid.api.key","message":"API key is missing or invalid."}