Bytescale supports JWT-based authentication.
To use JWTs in your requests, please see:
https://www.bytescale.com/docs/auth
{}{ "access": { "pathPermissions": [ { "match": { "path": "/users/user-xyz", "scope": "Children" }, "permissions": { "read": { "file": { "downloadFile": [ "*" ], "getFileDetails": true }, "folder": { "getFolderDescription": true, "getFolderPublicPermissions": true, "getFolderStorageLayer": true, "listFolderChildren": true } }, "write": { "file": { "createFile": true, "deleteFile": true, "overwriteFile": true }, "folder": { "createVirtualFolder": true, "deleteVirtualFolder": true, "setFolderDescription": true, "setFolderPublicPermissions": true, "setFolderStorageLayer": true } } } } ], "tagPermissions": { "write": [ "*" ] } }, "accountId": "YOUR_ACCOUNT_ID", "allowedOrigins": [ "https://example.com", "https://www.example.com" ], "apiKeyId": "F91kfA1g", "exp": 1615680311, "iat": 1615680311, "sub": "string"}The access permissions for the JWT.
If the JWT is provided together with a public API key (see above), then the permissions from the API key are merged with the JWT's permissions, taking the JWT's permissions where overlaps occur.
Type: BytescaleJwtAccess
Your account ID.
We recommend always setting this field.
You must set this field if the JWT will be passed via the Authorization request header (as opposed to via the Authorization-Token header in conjunction with an API key in the Authorization header, or as opposed to via a JWT cookie).
This means you must set this field when setting the serviceWorkerScript parameter on the AuthManager.beginAuthSession method, as the serviceWorkerScript parameter causes your JWTs to be passed via the Authorization request header instead of via the Cookie request header (to support browsers that don't support third-party cookies, like Safari).
Example: "A623uY2"
Type: String
Length: 7
Origin whitelist to prevent Cross Site Request Forgery (CSRF).
We recommend always setting this field.
Leaving this field undefined or as an empty array will disable origin whitelisting, which is strongly discouraged as it allows Cross Site Request Forgery (CSRF) for file download and file transformation requests when cookie-based auth is used with the Bytescale CDN.
A CSRF attack (which you are protected from when this field is correctly set) is where a phishing site that has prior knowledge of your private file URLs, which it has acquired through some other means, can temporarily download those files if a user of your web application visits the phishing site while they're authenticated with your web application, and are using cookie-based auth with the Bytescale CDN.
You should set this field to an array of strings, where the elements represent the valid root URL(s) for your website.
Example: ["https://example.com","https://www.example.com"]
Type: String[]
When the "apiKeyId" claim is present, the JWT is evaluated within the security context of the referenced API key, regardless of the signing algorithm used to sign the JWT.
Authorization will be evaluated in two stages when the "apiKeyId" claim is present:
1. The JWT’s own permissions will be evaluated.
2. The referenced API key’s permissions will be evaluated.
Both checks must succeed for the request to be permitted. If the referenced API key does not exist, then the request will fail.
Signing requirements:
•When using "alg": "HS256" the "apiKeyId" claim must be present.
•If "apiKeyId" is not present, the JWT must use "alg": "RS256" and be signed with a private key whose corresponding public key certificate is uploaded to your Bytescale account.
Bytescale JWT Acceleration (Enterprise plans only):
Bytescale JWT Acceleration optimizes JWT-authenticated GET requests to the Bytescale CDN. Requests that include a JWT in the Authorization or Authorization-Token header are transparently rewritten at the edge into internally signed URLs, enabling significantly improved caching and performance, despite the uniqueness of JWTs.
To use this feature, you must:
•Use a custom CNAME for your Bytescale CDN requests (please contact support).
•Your custom CNAME must have JWT Acceleration enabled (please contact support).
•Your JWT must use "alg": "HS256" and be signed with the API key's HMAC key (obtained from the API Key settings page). The API key's HMAC key must be base64-decoded and then used as a binary key when signing.
•Your JWT must include an "apiKeyId" top-level claim (obtained from the API Key settings page).
•Your API key must have JWT Acceleration enabled (via the API Key settings page).
Requests that do not meet these requirements will still be authenticated, but will not benefit from JWT Acceleration.
To learn more about JWT Acceleration or other Enterprise features, please contact Bytescale Support.
Example: "F91kfA1g"
Type: String
Length: 8
The time the JWT will expire in seconds since midnight 1 January 1970, UTC.
Example: 1615680311
Type: Integer
Minimum: 0
The time the JWT was issued in seconds since midnight 1 January 1970, UTC.
Example: 1615680311
Type: Integer
Minimum: 0
User ID from your application's database.
Bytescale doesn't currently perform any logic based on this value.
However, the value is required, and we recommend setting it to a real user ID for logging and auditing purposes.
Type: String
This website uses cookies. By continuing you are consenting to the use of cookies per our Cookie Policy. Our legal policies were last updated August 16 2024.
This website requires a modern web browser -- the latest versions of these browsers are supported: