API security
The API "Security" screen allows you to edit the security settings.
Accessing the screen
In the left sidebar menu, click [API] and select the API you want to look at. Then, click [Security] on the API endpoint screen.
This displays the "Security" pop-up screen.
Security options
Choose among one of the four options below.
| Item | Description |
|---|---|
| None | No access restrictions. |
| Static Access Token | Statically generated authentication token. |
| Dynamic Access Token | Dynamically generated authentication token. |
| Cookie | Cookie-based authentication. |
Overview of the security options
None
No security settings. Select this option when creating and testing temporary development APIs or using completely open data.
Since it is possible to directly access the endpoint without a token, it is recommended to select/configure other security.
Static Access Token
Configures the authentication method using statically generated tokens. Used for inter-server communication and public information provision APIs. Specify the static token in the request header to allow access to secure endpoints.
Since statically generated tokens may unintentionally leak or be embedded in the frontend, please design your system to accommodate token updates.
Dynamic Access Token
Configures the authentication method using dynamically generated tokens. Used for sites that require login. This option dynamically generates a one-time token for each login authentication request and specifies its value in the request header to allow access to secure endpoints.
To use a dynamic access token, you need to ensure the following:
- At least one user must be registered.
- The required endpoint must be created.
- Token management control must be implemented in the front-end.
| Required endpoint | Category | Model | Operation |
|---|---|---|---|
| Login | Authentication | Login(v1) | login_challenge |
| Token | Authentication | Login(v1) | token |
Like in the static access token option, the authentication status is not shared among multiple APIs, and authentication is required for each API.
Cookie
Configures the authentication method using cookies. Used for sites that require login.
Dynamically generating a cookie for each login authentication request and specifying its value in the request header allows access to secure endpoints.
To use cookies, you need to ensure the following:
- At least one user must be registered.
- The required endpoint must be created.
| Required endpoint | Category | Model | Operation |
|---|---|---|---|
| Login | Authentication | Login(v1) | login_challenge |
In the case of multiple cookie authentication APIs, the authentication status is shared among all of them.
To avoid third-party cookie restrictions, match the front-end and Kuroco domains to generate first-party cookies.
IP address restriction
Access is allowed only from the specified IP address.
Use one of the following formats:
- IP Address (e.g., 192.0.2.1)
- CIDR (e.g., 192.0.2.0/24)
- IP range with "-" (e.g., 192.0.2.1-192.0.2.2)
Related documents
Support
If you have any other questions, please contact us or check out Our Slack Community.