Authentication
Both the Momento SDKs and HTTP API use API keys and session tokens to authenticate requests. You can create an API key through the Momento console. Session tokens are created through the Momento Auth client in the SDK. To decide whether your use case requires an API key or a session token, please reference the table below.
| API key | Session token | |
|---|---|---|
| What it is | Key used to identify and authorize the API caller. | Token that represents a user or system during a short-lived session. |
| Creation | Created one time via the Momento console. Can optionally expire and be refreshed. | Programmatically generated on authentication or specific system action. Short-lived and not renewable. |
| Scope | Can be used to create session tokens, add or remove caches, and all data operations. Able to be scoped to a specific set of permissions. | Used for data operations only. Can be scoped to specific caches or topics. |
| Security | Long-lived with high risk if compromised. Should be rotated regularly. | Max life of 1 hour. Limited only to data operations like read and write. |
| Use cases | Building integrations, creating a token vending machine, and server-to-server authentication. | User authentication, browser sessions, and temporary access to data. |