API Key Scoping & Security Roles
API Key Scoping & Security Roles
To enable continuous machine integration without sacrificing security, Asterisk 2 implements an advanced API authorization framework. The system manages cryptographic tokens mapped to specific resource access arrays, providing granular control over automated client operations.
Machine Authorization Pipeline
The layout below tracks the cryptographic validation sequence intercepting incoming API calls:
graph TD
%% Ingress Client
subgraph ClientTool["External Client Integration"]
Request["REST Request Payload<br/>(with X-API-KEY Header)"]
end
%% Pipeline Interception
subgraph ActionFilter["ASP.NET Core Authorization Filters"]
Filter["ApiKeyFilter.cs Execution Block"]
HashLook["Cryptographic Key Hash Lookup"]
end
%% Decision Node
subgraph ScopeResolver["API Token Role Scoping"]
RoleRO["ReadOnly Token Role<br/>(RAG Lookups, Document Reads)"]
RoleRW["ReadWrite Token Role<br/>(Document Creation, Project Sync)"]
end
%% Target Core
subgraph ExecTarget["Downstream Controller Modules"]
ApiEndpoints["Documentation / Media Controllers"]
McpGenerator["Admin Controller<br/>(Dynamic Tool Config Emitter)"]
end
%% Unauth
Drop["Reject with HTTP 401 / 403"]
%% Flow Lines
Request ==> Filter
Filter ==>|"Read X-API-KEY"| HashLook
HashLook -->|"Hash Mismatch"| Drop
HashLook ==>|"Hash Validated"| ScopeResolver
ScopeResolver -->|"Scope == ReadOnly"| RoleRO
ScopeResolver -->|"Scope == ReadWrite"| RoleRW
RoleRO -->|"HTTP GET Allowed"| ApiEndpoints
RoleRW ==>|"Full CRUD Action Allowed"| ApiEndpoints
RoleRW ==>|"Generate Tool Configuration"| McpGenerator
%% Custom CSS
classDef toolClass fill:#0f172a,stroke:#38bdf8,stroke-width:2px,color:#fff,rx:6px,ry:6px;
classDef filterClass fill:#1e293b,stroke:#a855f7,stroke-width:2px,color:#fff,rx:6px,ry:6px;
classDef scopeClass fill:#312e81,stroke:#ec4899,stroke-width:2px,color:#fff,rx:6px,ry:6px;
classDef execClass fill:#065f46,stroke:#10b981,stroke-width:2px,color:#fff,rx:6px,ry:6px;
classDef dropClass fill:#7f1d1d,stroke:#f87171,stroke-width:2px,color:#fff,rx:6px,ry:6px;
class ClientTool,Request toolClass;
class ActionFilter,Filter,HashLook filterClass;
class ScopeResolver,RoleRO,RoleRW scopeClass;
class ExecTarget,ApiEndpoints,McpGenerator execClass;
class Drop dropClass;
Token Lifecycle Management
1. Hash Validation Pipeline (ApiKeyFilter.cs)
Incoming REST requests clear standard HTTP cookie processing to undergo key validation. The filter extracts the X-API-KEY string and hashes it to query persistent storage tables. If a match fails, the pipeline immediately stops execution.
2. Role-Based Scoping Directives
API keys carry strict operational capabilities:
ReadOnlyTokens: Granted solely for fetching document tree structures, querying RAG index content, and inspecting public project descriptions.ReadWriteTokens: Fully authorized to create project structures, provision nested page structures, host uploaded binary assets, and delete stale document records.
3. Dynamic Tool Configuration Emitter
To streamline client tool integration, AdminController.cs provides a dedicated dynamic endpoint (/api/Admin/mcp-config). This endpoint parses runtime API configurations and outputs standardized client tool setup files mapped directly to verified token permissions.