API security
The API "Security" screen allows you to edit the security settings.
Accessing the screen
In the left sidebar menu, click [API] and select the API you want to look at. Then, click [Security] on the API endpoint screen.
This displays the "Security" pop-up screen.
Security options
Choose among one of the four options below.
| Item | Description |
|---|---|
| None | No access restrictions. |
| Static Access Token | Statically generated authentication token. |
| Dynamic Access Token | Dynamically generated authentication token. |
| Cookie | Cookie-based authentication. |
Overview of the security options
None
No security settings. Select this option when creating and testing temporary development APIs or using completely open data.
We recommend selecting another setting if possible, as this option grants access to all users.
Static Access Token
Configures the authentication method using statically generated tokens. Used for inter-server communications. Specify the static token in the request header to allow access to secure endpoints.
This option runs the risk of token leaks and should be used in a closed network environment only.
To use a statically generated token, you need to create a required endpoint.
| Required endpoint | Category | Model | Operation |
|---|---|---|---|
| Token | Authentication | Login(v1) | token |
In the case of multiple token authentication APIs, the authentication status is not shared among them, and authentication is required for each API.
Dynamic Access Token
Configures the authentication method using dynamically generated tokens. Used for sites that require login. This option dynamically generates a one-time token for each login authentication request and specifies its value in the request header to allow access to secure endpoints.
To use a dynamic access token, you need to ensure the following:
- At least one user must be registered.
- The required endpoint must be created.
- Token management control must be implemented in the front-end.
| Required endpoint | Category | Model | Operation |
|---|---|---|---|
| Login | Authentication | Login(v1) | login_challenge |
| Token | Authentication | Login(v1) | token |
Like in the static access token option, the authentication status is not shared among multiple APIs, and authentication is required for each API.
Cookie
Configures the authentication method using cookies. Used for sites that require login.
Dynamically generating a cookie for each login authentication request and specifying its value in the request header allows access to secure endpoints.
To use cookies, you need to ensure the following:
- At least one user must be registered.
- The required endpoint must be created.
| Required endpoint | Category | Model | Operation |
|---|---|---|---|
| Login | Authentication | Login(v1) | login_challenge |
In the case of multiple cookie authentication APIs, the authentication status is shared among all of them.
To avoid third-party cookie restrictions, match the front-end and Kuroco domains to generate first-party cookies.
IP address restriction
Blocks access from specified IP addresses.
Use one of the following formats:
- CIDR (e.g., /24)
- IP range with "-" (e.g., 192.0.2.1-192.0.2.2)
Reference tutorial
For detailed instructions on using and verifying the security settings, see: Verifying API security using Swagger UI