Home

Authentication API

When you run a node, you can require that API calls have an authorization token attached. This API manages the creation and revocation of authorization tokens.

An authorization token provides access to one or more API endpoints. This is useful for delegating access to a node’s APIs. Tokens expire after 12 hours.

An authorization token is provided in the header of an API call. Specifically, the header Authorization should have value Bearer TOKEN.GOES.HERE (where TOKEN.GOES.HERE is replaced with the token).

This API is only reachable if the node is started with config flag--api-auth-required. If the node is started without this CLI, API calls do not require authorization tokens, so this API is not reachable. This API never requires an authorization token to be reached.

Authorization token creation must be permissioned. If you run your node with --api-auth-required, you must also specify the file to read the Auth API's password from, with argument --api-auth-password-file. You must provide this password in order to create/revoke authorization tokens.

Format#

This API uses the json 2.0 RPC format. For more information on making JSON RPC calls, see here.

Endpoint#


_10
/ext/auth

Methods#

auth.newToken#

Creates a new authorization token that grants access to one or more API endpoints.

Signature:


_10
auth.newToken(
_10
{
_10
password: string,
_10
endpoints: []string
_10
}
_10
) -> {token: string}

  • password is this node’s authorization token password.
  • endpoints is a list of endpoints that will be accessible using the generated token. If endpoints contains an element "*", the generated token can access any API endpoint.
  • token is the authorization token.

Example Call:


_10
curl -X POST --data '{
_10
"jsonrpc": "2.0",
_10
"method": "auth.newToken",
_10
"params":{
_10
"password":"YOUR PASSWORD GOES HERE",
_10
"endpoints":["/ext/bc/V", "/ext/info"]
_10
},
_10
"id": 1
_10
}' -H 'content-type:application/json;' 127.0.0.1:9650/ext/auth

This call will generate an authorization token that allows access to API endpoints /ext/bc/V (that is the Value Chain) and /ext/info (that is the info API.)

Example Response:


_10
{
_10
"jsonrpc": "2.0",
_10
"result": {
_10
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJFbmRwb2ludHMiOlsiKiJdLCJleHAiOjE1OTM0NzU4OTR9.Cqo7TraN_CFN13q3ae4GRJCMgd8ZOlQwBzyC29M6Aps"
_10
},
_10
"id": 1
_10
}

This authorization token should be included in API calls by giving header Authorization value Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJFbmRwb2ludHMiOlsiKiJdLCJleHAiOjE1OTM0NzU4OTR9.Cqo7TraN_CFN13q3ae4GRJCMgd8ZOlQwBzyC29M6Aps.

For example, to call info.peers with this token:


_10
curl -X POST --data '{
_10
"jsonrpc":"2.0",
_10
"id" :1,
_10
"method" :"info.peers"
_10
}' 127.0.0.1:9650/ext/info \
_10
-H 'content-type:application/json;' \
_10
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJFbmRwb2ludHMiOlsiKiJdLCJleHAiOjE1OTM0NzU4OTR9.Cqo7TraN_CFN13q3ae4GRJCMgd8ZOlQwBzyC29M6Aps'

auth.revokeToken#

Revoke a previously generated token. The given token will no longer grant access to any endpoint. If the token is invalid, does nothing.

Signature:


_10
auth.revokeToken(
_10
{
_10
password: string,
_10
token: string
_10
}
_10
) -> {}

  • password is this node’s authorization token password.
  • token is the authorization token being revoked.

Example Call:


_10
curl -X POST --data '{
_10
"jsonrpc": "2.0",
_10
"method": "auth.revokeToken",
_10
"params":{
_10
"password":"123",
_10
"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTMxNzIzMjh9.qZVNhH6AMQ_LpbXnPbTFEL6Vm5EM5FLU-VEKpYBH3k4"
_10
},
_10
"id": 1
_10
}' -H 'content-type:application/json;' 127.0.0.1:9650/ext/auth

Example Response:


_10
{
_10
"jsonrpc": "2.0",
_10
"result": {},
_10
"id": 1
_10
}

auth.changePassword#

Change this node’s authorization token password. Any authorization tokens created under an old password will become invalid.

Signature:


_10
auth.changePassword(
_10
{
_10
oldPassword: string,
_10
newPassword: string
_10
}
_10
) -> {}

  • oldPassword is this node’s current authorization token password.
  • newPassword is the node’s new authorization token password after this API call. Must be between 1 and 1024 characters.

Example Call:


_10
curl -X POST --data '{
_10
"jsonrpc": "2.0",
_10
"method": "auth.changePassword",
_10
"params":{
_10
"oldPassword":"OLD PASSWORD HERE",
_10
"newPassword":"NEW PASSWORD HERE"
_10
},
_10
"id": 1
_10
}' -H 'content-type:application/json;' 127.0.0.1:9650/ext/auth

Example Response:


_10
{
_10
"jsonrpc": "2.0",
_10
"result": {},
_10
"id": 1
_10
}