You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: sources/platform/integrations/programming/api.md
+77-6Lines changed: 77 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,24 +24,95 @@ To access the Apify API in your integrations, you need to authenticate using you
24
24
25
25
26
26
27
+
:::caution
28
+
29
+
Do not share the API token with untrusted parties, or use it directly from client-side code,
30
+
unless you fully understand the consequences! You can also consider [limiting the permission scope](#limited-permissions) of the token, so that it can only access what it really needs.
31
+
32
+
:::
33
+
27
34
## Authentication
28
35
29
36
You can authenticate the Apify API in two ways. You can either pass the token via the `Authorization` HTTP header or the URL `token` query parameter. We always recommend you use the authentication via the HTTP header as this method is more secure.
30
37
31
-
> **IMPORTANT**: **Do not share the API token with untrusted parties, or use it directly from client-side code,
32
-
unless you fully understand the consequences!**
33
-
34
38
Note that some API endpoints, such as [Get list of keys](/api/v2#/reference/key-value-stores/key-collection/get-list-of-keys),
35
39
do not require an authentication token because they contain a hard-to-guess identifier that effectively serves as an authentication key.
36
40
37
41
## Organization accounts
38
42
39
-
> This information is only relevant to members or owners of organization accounts.
40
-
41
43
When working under an organization account, you will see two types of API tokens on the Integrations page.
42
44
43
-
45
+
44
46
45
47
The Personal API tokens are different from your own Personal API tokens mentioned above. If you use this token in an integration, it will have the same permissions that you have within the organization, and all the operations you use it for will be ascribed to you.
46
48
47
49
On the other hand the Organization API tokens (only visible if you are the owner or have Manage access tokens permission) have full permissions and are not tied to a specific member of the organization.
50
+
51
+
## API tokens with limited permissions {#limited-permissions}
52
+
53
+
By default, tokens can access all data in your account. If that is not desirable, you can choose to limit the permissions of your token, so that it can only access data needed for the particular use case. We call these tokens **scoped**.
54
+
55
+
**A scoped token can access only those resources that you'll explicitly allow it to.**
56
+
57
+
### How to create a scoped token
58
+
59
+
Scoped tokens behave like standard API tokens and are managed through the [Integrations](https://console.apify.com/settings/integrations) page in Apify Console. When creating a token (or updating an existing one), simply toggle "Limit token permissions" to make the token scoped.
60
+
61
+
Once the token is scoped, you can specify the token's permissions.
62
+
63
+
64
+
65
+
### Account level vs resource-specific permissions
66
+
67
+
We support two different types of permissions for tokens:
68
+
69
+
-**Account level permissions**: These will apply to all resources in the entire account. For example, you can use these to allow the token to run _all_ your Actors.
70
+
71
+
-**Resource-specific permissions**: These will apply only to specific, existing resources. For example, you can use these to allow the token to read from a particular dataset.
72
+
73
+
:::tip
74
+
75
+
A single token can combine both types. You can create a token that can _read_ any data storage, but _write_ only to one specific key-value store.
76
+
77
+
:::
78
+
79
+
80
+
81
+
### Allowing tokens to create resources
82
+
83
+
If you need to create new resources with the token (for example, create a new Task, or storage), you need to explicitly allow that as well.
84
+
85
+
Once you create a new resource with the token, _the token will gain full access to that resource_, regardless of other permissions. It is not possible to create a token that can create a dataset, but not write to it.
86
+
87
+
:::tip
88
+
89
+
This is useful if you want to for example create a token that can dynamically create & populate datasets, but without the need to access other datasets in your account.
90
+
91
+
:::
92
+
93
+
### Actor execution and scheduling
94
+
95
+
When you run an Actor with a scoped token (or schedule one), Apify will inject a new, _unscoped_ token to the Actor. This means that **the Actor will have full access to all resources in your account**.
96
+
97
+
This way you can be sure that once you give a token the permission to run an Actor, it will just work, and you don't have to worry
98
+
about the exact permissions the Actor might need. However, this also means that you need to trust the Actor.
99
+
100
+
:::note
101
+
102
+
This is why **we currently do not allow scoped tokens to create or modify Actors**. With those permissions it would be easy for the token to upload malicious code and gain access to your full account. If you do need to create or modify Actors via Apify API, you need to use an unscoped token.
103
+
104
+
:::
105
+
106
+
### Webhoooks configuration
107
+
108
+
If you allow a token to run an Actor, it'll also be able to manage the Actor's webhooks (similarly for tasks).
109
+
110
+
If you set up a webhook pointing to the Apify API, the Apify platform will automatically inject a token when dispatching that webhook. However, if you set up such a webhook with a scoped token, **that webhook will be dispatched with a token with the same limited permissions**.
111
+
112
+
Therefore, you need to make sure the token has sufficient permissions not only to set up the webhook, but also to perform the actual operation.
113
+
114
+
:::tip
115
+
116
+
Let's say you want to create a webhook that pushes an item to a dataset every time an Actor successfully finishes. Then such a scoped token needs to be allowed to both run the Actor (to create the webhook), and write to that dataset.
0 commit comments