As our customers build more sophisticated applications using our API, their requirements and needs are evolving. To provide greater flexibility and control to our customers, we are introducing API Keys, an authentication method that gives more power to developers to build applications for all of their needs.
We are introducing API Keys, an authentication method that gives more power to developers to build applications for all of their needs. Read on to learn more about API keys and why they’re better for you, or skip directly to the usage instructions at the bottom of this post!
Authentication through API Keys will now contain scopes, which allows the key to only make selected API calls for an app. For example, a developer could generate an API Key that has permission to only make a ‘Predict’ or a ‘Search’ API call. This key could be considered as a ‘read-only’ key, as you wouldn’t be able to make any changes to the application using this key. Alternatively, if a developer is looking to create and train a custom model, then they would add “Models:Add” and “Models:Patch” scopes to their key.
There are many benefits to using API Keys, but they prove to be especially beneficial when developing an application that authorizes on the client side (e.g. the browser), or a mobile application. In each of those situations, there is a risk of an end user reverse engineering the code to retrieve the key that is being used. When building those applications, developers should protect their app by using a ‘read-only’ key in the production environment, reducing vulnerability of their app.
In the past, we have used OAuth2 client credentials (Client ID, Client Secret, Access Token) to authenticate access to our API. While this authentication method is also secure, it didn’t provide the flexibility of finer level scopes to be developed, nor did it allow our customers to delete a token, in case it was compromised. API Keys will empower our customers to do more.
We realize that this is a significant change in how developers interact with our API. However, we believe that this change is worth making, as it provides more power, security, and control for our customers, which in turn makes applications more secure, and makes the Clarifai platform friendlier to use.
With this change, existing developers that already have applications using Access Tokens for authentication will not experience a breaking change. We will allow both auth methods (Access Tokens and API Keys) until late 2017 to give everyone enough time to transition over to the new authentication method. Following that, we will deprecate Access Tokens, and developers will only be able to authenticate using API Keys.
You can continue building your apps using the new and safer authentication method!