Skip to main content
Skip table of contents

Bootstrapping API keys

API keys are the default method used to authenticate with DCT, which is done by including the API key in the HTTP Authorization request header with the apk type.

API keys are long-live tokens and as a result, do not automatically expire in the future. They remain valid until they are deleted or destroyed from DCT. Rotating API keys periodically is strongly recommended to avoid security risk.

Client URL (cURL) is a CLI tool for transferring data via URLs, which is how the authorization to DCT can pass. A demonstration cURL authorization with an example API key would appear as follows.

API key

CODE 
1.0p9PMkZO4Hgy0ezwjhX0Fi4lEKrD4pflejgqjd0pfKtywlSWR9G0fIaWajuKcBT3

Command

CODE 
curl --header 'Authorization: apk 
1.0p9PMkZO4Hgy0ezwjhX0Fi4lEKrD4pflejgqjd0pfKtywlSWR9G0fIaWajuKcBT3'

cURL, similar to web browsers and other HTTP clients, will not connect to DCT over HTTPS unless a valid TLS certification has been configured for the Nginx server.

cURL must be on version 7.43 or higher.

Bootstrap first API key

The recommended process is that you only use the first (bootstrapped) API key to create another API key, then delete the first key promptly afterwards. This process is best for enhanced security, because the bootstrap key is more broadly accessible during setup, as it might be hardcoded in scripts, configuration files, or recorded in logs.

This process can be repeated as many times as needed, for example, in a case where existing API keys are lost or have been deleted.

Once the DCT application is started, edit the values.yaml file and modify the apiKeyCreate property to have a string value of true.

NONE 
apiKeyCreate: true

Upgrade DCT with:

CODE 
helm upgrade dct-services <directory path of extracted chart>

If the values.yaml file needs to be overridden from outside, use:

CODE 
helm upgrade dct-services -f <path_to_values.yaml> <directory path of extracted chart>

A similar output should appear in the gateway pod logs with the newly generated key (please note, this is an example key):

CODE 
NEWLY GENERATED API KEY: 1.0p9PMkZO4Hgy0ezwjhX0Fi4lEKrD4pflejgqjd0pfKtywlSWR9G0fIaWajuKcBT3

The gateway-pod-name will appear in the format of gateway-xxx and can be found using:

CODE 
kubectl get pods -n dct-services

The logs for the gateway pod can be accessed using:

CODE 
kubectl logs <gateway-pod-name> -n dct-services

The newly generated key can now be used to authenticate with DCT, as exemplified in the first section of this page. Remember to prefix the API key value with apk, as follows:

CODE 
curl --header 'Authorization: apk 1.0p9PMkZO4Hgy0ezwjhX0Fi4lEKrD4pflejgqjd0pfKtywlSWR9G0fIaWajuKcBT3'

Edit the values.yaml and set the apiKeyCreate property back to a string value of false and upgrade DCT again with the same command used above.

CODE 
helm upgrade dct-services <directory path of extracted chart>

Like before, if the values.yaml file needs to be overridden from outside, use:

CODE 
helm upgrade dct-services -f <path_to_values.yaml> <directory path of extracted chart>

Create and manage API keys

As recommended above, the first API key should be used to create a new, secure admin key. To do this, create a new Account entity and set the generate_api_key property to true. The username value should be the desired name to uniquely identify the account.

If the cURL version is below 7.43, replace --data-raw with --data in the following.

CODE 
curl --location --request POST 'https://<hostname>/v2/management/accounts' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: apk 1.0p9PMkZO4Hgy0ezwjhX0Fi4lEKrD4pflejgqjd0pfKtywlSWR9G0fIaWajuKcBT3' \
--data-raw '{
 "username": "secure-key",
 "generate_api_key": true,
 "is_admin": true
}'

A similar response should be received as shown below:

CODE 
{
 "id": 2,
 "token": "2.vCfC0MnpySYZLshuxap2aZ7xqBKAnQvV7hFnobe7xuNlHS9AF2NQnV9XXw4UyET6"
 "username":"secure-key"
}

Now that the new, secure API key has been created, the old one must be deleted for the security purposes outlined in the first section of this page. To do this, make the following request:

CODE 
curl --location --request DELETE 'https://<hostname>/v2/management/api-clients/<id>' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: apk 2.vCfC0MnpySYZLshuxap2aZ7xqBKAnQvV7hFnobe7xuNlHS9AF2NQnV9XXw4UyET6'

The <id> referenced above is the numeric ID of the Account entity—the integer before the period in the token. For example, the id of 1.0p9PMkZ04Hgy0ezwjhX... is 1.

To list all of the current Accounts, use:

CODE 
curl --location --request GET 'https://<hostname>/v2/management/accounts/' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: apk <your API key>'
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close