Authorization
Bytescale supports the following authorization methods:
| Authorization Method | Maximum Level of Access | When to use |
|---|---|---|
Download public files via the URL. | Hosting public media assets for your website. | |
Download private files via the URL. | Hosting files for logged-in members of your site. | |
Download and upload files (per the API key's configuration). | Accepting file uploads on forms. | |
All operations (per the JWT's configuration). | Allowing your site's users to delete specific files. | |
All operations (per the API key's configuration). | Performing admin tasks via your backend services. | |
All operations. | Performing admin tasks via our easy-to-use UI. |
Public file access refers to anonymous/unauthenticated downloads:
By default, all files are public.
To make files private, you must change the parent folder's permissions from "Public" to either "Private" or "Limited" access.
This makes files within the folder private:
Please note:
Public permissions are configured on a per-folder basis.
Public permissions can be configured via the Bytescale Dashboard (see example above) or using the PutFolder endpoint.
Public permissions are recursive, meaning if you don't define public permissions for a folder, the parent folder's permissions are used.
You can create an unlimited number of folders, each with their own unique public permissions.
Public API keys can upload to private folders. See: Configuring API key permissions
Public API keys can download from private folders (although this is often not a desired configuration). See: Configuring API key permissions
To control uploads/downloads via your backend API, please use JWTs.
To download private files, use one of these options:
Bytescale Dashboard users have full access to all resources (including private files).
This is the easiest way to access private files, as no code is required.
API keys can be configured with varying levels of access in the Bytescale Dashboard.
To attach an API key to a Bytescale API or Bytescale CDN request:
Add an Authorization header to your HTTP request.
The value for the HTTP header must be one of:
Option 1) prefix "Bearer " to your API key to produce the Authorization header value.
Option 2) use HTTP basic authorization, specifying apikey as your username, and your API key as your password.
The Bytescale SDKs perform the above for you.
Your API key must have sufficient permissions to the file you're accessing, see: Configuring API key permissions
JWTs allow you to generate access permissions for your users at runtime, using your backend API.
To use JWTs with public API keys:
Add the public API key to the Authorization request header (follow steps above).
Add the JWT to the Authorization-Token request header.
To generate a JWT, see: Generating JWTs
JWT cookies allow you to create authenticated browser sessions for your users, giving them access to private files directly via the URL.
JWT cookies allow <img /> elements that reference private files to render correctly.
To use JWT cookies:
Create an API endpoint to generate JWTs. (See: Generating JWTs)
Call the AuthManager.beginAuthSession method from the Bytescale JavaScript SDK to start a JWT session.
Calling AuthManager.beginAuthSession on the Bytescale JavaScript SDK will also cause uploads from the Bytescale Upload Widget to be authenticated using JWTs.
import * as Bytescale from "@bytescale/sdk";// Call this function after your user signs in:async function onSignIn() {// The URL for your auth API endpoint.// Your URL must:// - Return a JWT as plain text.// - Return a 'content-type: text/plain' response header.// - Return a 200 status code.// - Return a signed JWT (i.e. the JWT must include 2x "." characters) using RS256.// - The public key certificate must be added to the Bytescale Dashboard.// - The JWT must not be wrapped with "".const authUrl = "https://your-web-app/your-auth-url";// Headers required by your API endpoint (e.g. 'authorization' header).const authHeaders = () => Promise.resolve({authorization: "some auth token"});// Wait for authentication to complete:await Bytescale.AuthManager.beginAuthSession({accountId: "YOUR_ACCOUNT_ID", // e.g. "W142hJk"authUrl,authHeaders});}File uploads from the Bytescale Upload Widget and Bytescale JavaScript SDK will now be authenticated using JWTs, as will all other requests from the Bytescale JavaScript SDK.
File downloads will require ?auth=true appending to the file URL (this applies to privately-accessible files only).
The Bytescale JavaScript SDK includes a UrlBuilder that does this for you:
Downloading a private image (raw):
import * as Bytescale from "@bytescale/sdk";// Returns: "https://upcdn.io/1234abc/raw/example.jpg?auth=true"Bytescale.UrlBuilder.url({accountId: "1234abc",filePath: "/example.jpg",options: {auth: true}});Downloading a private image (transformed):
import * as Bytescale from "@bytescale/sdk";// Returns: "https://upcdn.io/1234abc/image/example.jpg?w=800&h=600&auth=true"Bytescale.UrlBuilder.url({accountId: "1234abc",filePath: "/example.jpg",options: {transformation: "image",transformationParams: {w: 800,h: 600},auth: true}});
To configure the permissions your JWTs grant to your users, see Generating JWTs.
To configure the permissions an API key grants to a user:
Navigate to: https://www.bytescale.com/dashboard/security/api_keys
Find & edit your API key
Click the "Permissions" tab
Click the "Add Path Permission" button
Add the paths /my_folder/* and/or /my_folder/*/**
The /* path suffix matches all children of the folder.
The /*/** path suffix matches all grandchildren of the folder, recursively.
Since they match different levels within the folder, you may want to specify both patterns, or just one of them.
Set the relevant permissions for your new path permission(s), e.g. "Uploads" and "Downloads"
Click "Save Changes"
The above configuration allows users to perform uploads and downloads to /my_folder (recursively) with this API key.