Key Management
In order to use an API, an API key needs to be created using the DataMilk Web UI. Each API Key can be configured as follows:
| Name | Type | Description |
|---|---|---|
| id | String (read only, generated) | Unique id of the API key. |
| clientId | String (read only, generated) | Unique id to use from a client to authenticate using this key. |
| roles | String[] | Security roles to grant this API Key. Shoppers - APIs typically used on commerce sites during for shoppers such as content rankings, A/B testing related, and DataMilk Attention Data Script usage gathering. Admin - APIs that provide access to raw content management (e,g, collections, images, urls), reporting, and algorithm API endpoint management. |
| allowedHosts | String[] (Optional, default:empty) | List of host names that a browser can make api calls from. E.g. if code is running on cnn.com, cnn.com should be listed in this setting. If someone tries to run the code on a different domain using the same api key, the server will respond with access denied and the reason. Default: empty = all hosts are allowed. |
| maxCallPerSecond | Number (Optional, default: 10) | Max requests per second allowed from any source ip address. Typically used to limit rate of API calls from a shopper. |
| enabled | Boolean (default: true) | Controls if key is enabled or not. If disabled, api calls using the key will be denied. Used to invalidate a key as needed. |
| deleted | Boolean | When API key is deleted, this is set to true. Note this is a soft delete and APIKey can be undeleted if a mistake is made. |
Security
An API key usage can be secured on the client by listing all valid host names in the key. Only those host names will be allowed to make API calls. For server to server usage, origin IP filters can be used to further secure usage of an API key.
If an api key is found to be maliciously used, it can be disabled and a new API key used. Configuring security related API Key filters will usually prevent malicious API key usage.