Back to page
API Key Scoping & Security Roles
Raw Markdown & AI/RAG Chunks
Raw Markdown Source
3552 chars
# API Key Scoping & Security Roles
To enable continuous machine integration without sacrificing security, **Asterisk 2** implements an advanced API authorization framework. The system manages cryptographic tokens mapped to specific resource access arrays, providing granular control over automated client operations.
---
## Machine Authorization Pipeline
The layout below tracks the cryptographic validation sequence intercepting incoming API calls:
```mermaid
graph TD
%% Ingress Client
subgraph ClientTool["External Client Integration"]
Request["REST Request Payload<br/>(with X-API-KEY Header)"]
end
%% Pipeline Interception
subgraph ActionFilter["ASP.NET Core Authorization Filters"]
Filter["ApiKeyFilter.cs Execution Block"]
HashLook["Cryptographic Key Hash Lookup"]
end
%% Decision Node
subgraph ScopeResolver["API Token Role Scoping"]
RoleRO["ReadOnly Token Role<br/>(RAG Lookups, Document Reads)"]
RoleRW["ReadWrite Token Role<br/>(Document Creation, Project Sync)"]
end
%% Target Core
subgraph ExecTarget["Downstream Controller Modules"]
ApiEndpoints["Documentation / Media Controllers"]
McpGenerator["Admin Controller<br/>(Dynamic Tool Config Emitter)"]
end
%% Unauth
Drop["Reject with HTTP 401 / 403"]
%% Flow Lines
Request ==> Filter
Filter ==>|"Read X-API-KEY"| HashLook
HashLook -->|"Hash Mismatch"| Drop
HashLook ==>|"Hash Validated"| ScopeResolver
ScopeResolver -->|"Scope == ReadOnly"| RoleRO
ScopeResolver -->|"Scope == ReadWrite"| RoleRW
RoleRO -->|"HTTP GET Allowed"| ApiEndpoints
RoleRW ==>|"Full CRUD Action Allowed"| ApiEndpoints
RoleRW ==>|"Generate Tool Configuration"| McpGenerator
%% Custom CSS
classDef toolClass fill:#0f172a,stroke:#38bdf8,stroke-width:2px,color:#fff,rx:6px,ry:6px;
classDef filterClass fill:#1e293b,stroke:#a855f7,stroke-width:2px,color:#fff,rx:6px,ry:6px;
classDef scopeClass fill:#312e81,stroke:#ec4899,stroke-width:2px,color:#fff,rx:6px,ry:6px;
classDef execClass fill:#065f46,stroke:#10b981,stroke-width:2px,color:#fff,rx:6px,ry:6px;
classDef dropClass fill:#7f1d1d,stroke:#f87171,stroke-width:2px,color:#fff,rx:6px,ry:6px;
class ClientTool,Request toolClass;
class ActionFilter,Filter,HashLook filterClass;
class ScopeResolver,RoleRO,RoleRW scopeClass;
class ExecTarget,ApiEndpoints,McpGenerator execClass;
class Drop dropClass;
```
---
## Token Lifecycle Management
### 1. Hash Validation Pipeline (`ApiKeyFilter.cs`)
Incoming REST requests clear standard HTTP cookie processing to undergo key validation. The filter extracts the `X-API-KEY` string and hashes it to query persistent storage tables. If a match fails, the pipeline immediately stops execution.
### 2. Role-Based Scoping Directives
API keys carry strict operational capabilities:
- **`ReadOnly` Tokens**: Granted solely for fetching document tree structures, querying RAG index content, and inspecting public project descriptions.
- **`ReadWrite` Tokens**: Fully authorized to create project structures, provision nested page structures, host uploaded binary assets, and delete stale document records.
### 3. Dynamic Tool Configuration Emitter
To streamline client tool integration, `AdminController.cs` provides a dedicated dynamic endpoint (`/api/Admin/mcp-config`). This endpoint parses runtime API configurations and outputs standardized client tool setup files mapped directly to verified token permissions.
AI Chunks (RAG)
3 chunks
Chunk #1
API Key Scoping & Security Roles
# API Key Scoping & Security Roles To enable continuous machine integration without sacrificing security, **Asterisk 2** implements an advanced API authorization framework. The system manages cryptographic tokens mapped to specific resource access arrays, providing granular control over automated client operations. ---
Chunk #2
Machine Authorization Pipeline
## Machine Authorization Pipeline
The layout below tracks the cryptographic validation sequence intercepting incoming API calls:
```mermaid
graph TD
%% Ingress Client
subgraph ClientTool["External Client Integration"]
Request["REST Request Payload<br/>(with X-API-KEY Header)"]
end
%% Pipeline Interception
subgraph ActionFilter["ASP.NET Core Authorization Filters"]
Filter["ApiKeyFilter.cs Execution Block"]
HashLook["Cryptographic Key Hash Lookup"]
end
%% Decision Node
subgraph ScopeResolver["API Token Role Scoping"]
RoleRO["ReadOnly Token Role<br/>(RAG Lookups, Document Reads)"]
RoleRW["ReadWrite Token Role<br/>(Document Creation, Project Sync)"]
end
%% Target Core
subgraph ExecTarget["Downstream Controller Modules"]
ApiEndpoints["Documentation / Media Controllers"]
McpGenerator["Admin Controller<br/>(Dynamic Tool Config Emitter)"]
end
%% Unauth
Drop["Reject with HTTP 401 / 403"]
%% Flow Lines
Request ==> Filter
Filter ==>|"Read X-API-KEY"| HashLook
HashLook -->|"Hash Mismatch"| Drop
HashLook ==>|"Hash Validated"| ScopeResolver
ScopeResolver -->|"Scope == ReadOnly"| RoleRO
ScopeResolver -->|"Scope == ReadWrite"| RoleRW
RoleRO -->|"HTTP GET Allowed"| ApiEndpoints
RoleRW ==>|"Full CRUD Action Allowed"| ApiEndpoints
RoleRW ==>|"Generate Tool Configuration"| McpGenerator
%% Custom CSS
classDef toolClass fill:#0f172a,stroke:#38bdf8,stroke-width:2px,color:#fff,rx:6px,ry:6px;
classDef filterClass fill:#1e293b,stroke:#a855f7,stroke-width:2px,color:#fff,rx:6px,ry:6px;
classDef scopeClass fill:#312e81,stroke:#ec4899,stroke-width:2px,color:#fff,rx:6px,ry:6px;
classDef execClass fill:#065f46,stroke:#10b981,stroke-width:2px,color:#fff,rx:6px,ry:6px;
classDef dropClass fill:#7f1d1d,stroke:#f87171,stroke-width:2px,color:#fff,rx:6px,ry:6px;
class ClientTool,Request toolClass;
class ActionFilter,Filter,HashLook filterClass;
class ScopeResolver,RoleRO,RoleRW scopeClass;
class ExecTarget,ApiEndpoints,McpGenerator execClass;
class Drop dropClass;
```
---
Chunk #3
Token Lifecycle Management
## Token Lifecycle Management ### 1. Hash Validation Pipeline (`ApiKeyFilter.cs`) Incoming REST requests clear standard HTTP cookie processing to undergo key validation. The filter extracts the `X-API-KEY` string and hashes it to query persistent storage tables. If a match fails, the pipeline immediately stops execution. ### 2. Role-Based Scoping Directives API keys carry strict operational capabilities: - **`ReadOnly` Tokens**: Granted solely for fetching document tree structures, querying RAG index content, and inspecting public project descriptions. - **`ReadWrite` Tokens**: Fully authorized to create project structures, provision nested page structures, host uploaded binary assets, and delete stale document records. ### 3. Dynamic Tool Configuration Emitter To streamline client tool integration, `AdminController.cs` provides a dedicated dynamic endpoint (`/api/Admin/mcp-config`). This endpoint parses runtime API configurations and outputs standardized client tool setup files mapped directly to verified token permissions.