All the APIs documented here require an API token for access. A new API token can be generated from Slash GraphQL by selecting the “Settings” button from the sidebar, then clicking the Add API Key button. Keep your API key safe, it will not be accessible once you leave the page.
All admin API requests must be authenticated by passing the API token as the ‘X-Auth-Token’ header to every HTTP request. You can verify that your API token works by using the following HTTP example.
What do I need a client API key for, when I can query the database (from Postman/Insomnia) on my Slash Dgraph instance without providing the client API key? What is the use-case for a client API key?
As I read the documentation, one needs a client API key to query the database, but when I try to query the database from Insomnia - without providing any X-Auth-Token header - then my request is still accepted and processed.
In summary, I fail to understand the following:
When interacting with my Slash Dgraph instance, in what situations do I need to provide a client API key? And what will it allow me to do? Will it allow me to read and mutate all data, or only the data that was inserted using that client API key?
(My confusion probably also stems from Securing Your GraphQL endpoint at the same time stating this: “All GraphQL queries and mutations are unrestricted by default” )
The client key is required when using the non-graphql endpoints, such as DQL’s /query, /mutate or the gRPC endpoints with a Dgraph client such as dgo.
DQL queries do not honor any @auth rules specified in your GraphQL schema, and hence access to these APIs require this extra layer of security.
We are also building out a simple way to lock down your GraphQL endpoint, and only allow anonymous access to certain operations, and this should go live in a month or so (End Feb 2021).
I’m really surprised that my Slash endpoint is public by default. I tried the same as mortenalbertsen and to my surprise my query was executed without providing my api key. My only option here is to use another database or deploy it locally both of which I would prefer not to do. Any updates on this?
My use case is this - I have a backend API that will only access the database. We may move from Slash hosting to on prem in the future but for now we are using slash. I don’t want to deal with ACLs just yet as that seems very nice but will slow us down in the beginning.
I’m confused by the multiple layers of authentication:
Slash API Key generated from the website
JWT based authentication defined in the schema (e.g. Auth0)
Are these two completely separate? I would like to only access the database using the Slash API token and not use JWT if possible. Is there a way to do just that?
I have this piece in my schema (with sensitive info removed) which seems to at least require the JWT however I would like it to only require the token. Dgraph.Authorization {"ClosedByDefault":true}
Yes, that’s what we are working on, you’ll be able to restrict which graphql types an anonymous client can access, and use an access key to access other operations
Agree with the other comments here. We should not have the APIs open by default. To that extent, we’ve been redesigning parts of the cloud interface, including this aspect.
