API security

The API "Security" screen allows you to edit the security settings.

Accessing the screen

In the left sidebar menu, click [API] and select the API you want to look at. Then, click [Security] on the API endpoint screen.

Image (fetched from Gyazo)

This displays the "Security" pop-up screen.

Image (fetched from Gyazo)

Security options

Choose among one of the four options below.

Image (fetched from Gyazo)

ItemDescription
NoneNo access restrictions.
Static Access TokenStatically generated authentication token.
Dynamic Access TokenDynamically generated authentication token.
CookieCookie-based authentication.

Overview of the security options

None

No security settings. Select this option when creating and testing temporary development APIs or using completely open data.

We recommend selecting another setting if possible, as this option grants access to all users.

Static Access Token

Configures the authentication method using statically generated tokens. Used for inter-server communications. Specify the static token in the request header to allow access to secure endpoints.

This option runs the risk of token leaks and should be used in a closed network environment only.

To use a statically generated token, you need to create a required endpoint.

Required endpointCategoryModelOperation
TokenAuthenticationLogin(v1)token

In the case of multiple token authentication APIs, the authentication status is not shared among them, and authentication is required for each API.

Dynamic Access Token

Configures the authentication method using dynamically generated tokens. Used for sites that require login. This option dynamically generates a one-time token for each login authentication request and specifies its value in the request header to allow access to secure endpoints.

To use a dynamic access token, you need to ensure the following:

  • At least one user must be registered.
  • The required endpoint must be created.
  • Token management control must be implemented in the front-end.
Required endpointCategoryModelOperation
LoginAuthenticationLogin(v1)login_challenge
TokenAuthenticationLogin(v1)token

Like in the static access token option, the authentication status is not shared among multiple APIs, and authentication is required for each API.

Configures the authentication method using cookies. Used for sites that require login.

Dynamically generating a cookie for each login authentication request and specifying its value in the request header allows access to secure endpoints.

To use cookies, you need to ensure the following:

  • At least one user must be registered.
  • The required endpoint must be created.
Required endpointCategoryModelOperation
LoginAuthenticationLogin(v1)login_challenge

In the case of multiple cookie authentication APIs, the authentication status is shared among all of them.

To avoid third-party cookie restrictions, match the front-end and Kuroco domains to generate first-party cookies.

IP address restriction

Blocks access from specified IP addresses.

Image (fetched from Gyazo)

Use one of the following formats:

  • CIDR (e.g., /24)
  • IP range with "-" (e.g., 192.0.2.1-192.0.2.2)

Reference tutorial

For detailed instructions on using and verifying the security settings, see: Verifying API security using Swagger UI