Stream Authentication

In addition to basic authentication using traefik, Hydrolix also supports token-based authentication when streaming to a table. With stream authentication, you must pass a valid token to stream data into a table. You can define an array of tokens in each table's configuration.

The ingestion API will return an HTTP 403 if token_auth_enabled is true and the incoming token does not match anything in the configured token_list.

📘
Not a Bearer Token
This table-specific streaming token is different from the Bearer token used for user authentication.

Usage

You can pass tokens in one of two ways:

the query string, e.g. https://my.hydrolix.cluster/ingest/event?token=token1
the HTTP header x-hdx-token

When passing the token via query string parameters, either generate your tokens without special characters or always URL encode your tokens.

You can see usage, including valid and invalid requests per token, in the Prometheus reporting.

Always use TLS with stream authentication. This ensures that tokens are always encrypted when sent over the Internet.

Example

To enable token-based authentication, set the following values in the stream field of your table settings:

set token_auth_enabled to true in the stream settings of the table
set token_list to an array of tokens. This allows for easy token rotations as well as using multiple tokens at the same time.

The following snippet shows a full example of a stream authentication configuration for a table:

"settings": {
  ...
  "stream": {
    "token_auth_enabled": true,
    "token_list": ['token1', 'token2']
  }
  ...
}

📘Not a Bearer Token

Usage

Example

📘
Not a Bearer Token