Stream Authentication
In addition to basic authentication using traefik
, Hydrolix also supports token-based authentication when streaming to a table. With stream authentication, you must pass a valid token to stream data into a table. You can define an array of tokens in each table's configuration.
The ingestion API will return an HTTP 403 if token_auth_enabled
is true and the incoming token does not match anything in the configured token_list
.
Not a Bearer Token
This table-specific streaming token is different from the Bearer token used for user authentication.
Usage
You can pass tokens in one of two ways:
- the query string, e.g.
https://my.hydrolix.cluster/ingest/event?token=token1
- the HTTP header
x-hdx-token
When passing the token via query string parameters, either generate your tokens without special characters or always URL encode your tokens.
You can see usage, including valid and invalid requests per token, in the Prometheus reporting.
Always use TLS with stream authentication. This ensures that tokens are always encrypted when sent over the Internet.
Example
To enable token-based authentication, set the following values in the stream field of your table settings:
- set
token_auth_enabled
to true in the stream settings of the table - set
token_list
to an array of tokens. This allows for easy token rotations as well as using multiple tokens at the same time.
The following snippet shows a full example of a stream authentication configuration for a table:
"settings": {
...
"stream": {
"token_auth_enabled": true,
"token_list": ['token1', 'token2']
}
...
}
Updated about 17 hours ago