Skip to main content

Permissions and access control

When creating a session token or API key, you have the ability to limit permissions to specific namespaces, cache keys, cache key prefixes, and topics. This is made possible through the use of permissions. When creating a token, you define a set of permissions in a Scope object. Upon creation, the token will only be able to access the cache keys and topics indicated in the permission scope, along with performing specific operations (read, write, publish, subscribe, etc...). If a user attempts to perform an action outside the bounds of the permission scope, they will receive a 403 Unauthorized status code.

Scope

API keys and tokens can be scoped to specific sets of permissions to limit access to resources. The scope object contains both cache permissions and topic permissions.

Attributes

permissions* array of Cache permission and Topic permission

A set of cache and/or topic permissions used to scope the token.

The Scope object
{
  "permissions": [
    {
      "role": "readonly",
      "cache": "data",
      "item": {
        "key": "foo"
      }
    },
    {
      "role": "subscribeonly",
      "cache": "data",
      "topic": "bar"
    }
  ]
}

Cache permission

You can create permissions for individual cache keys, cache key prefixes, or for an entire cache. When creating a cache permission, users select one of three system-defined roles:

  • readwrite - Provides full access to cache data
  • writeonly - Provides access to only write operations (set, sortedSetIncrementScore, listPopFront, etc...)
  • readonly - Provides access to only read operations (get, dictionaryFetch, setFetch, etc...)

Attributes

role* enum

The system-defined permission set for cache operations

Allowed values: readwrite, writeonly, readonly
cache* string

The namespace to scope permissions to

item object

Configuration to limit cache operations to specific keys.

The Cache permission object
{
  "role": "readonly",
  "cache": "myCache",
  "item": {
    "keyPrefix": "id-45-",
    "key": "string"
  }
}

Topic permission

You can create permissions for individual or all topics in a given namespace. Topic prefixes are not supported. When creating a topic permission, users select from one of three system-defined roles:

  • publishsubscribe - Provides full access to topic data
  • publishonly - Provides access to only write operations (publish)
  • subscribeonly - Provides access to only read operations (subscribe)

Attributes

role* enum

The system-defined permission set for topic operations

Allowed values: subscribeonly, publishonly, publishsubscribe
cache* string

The namespace to scope permissions to

topic* string

The name of the specific topic to scope permissions to.

The Topic permission object
{
  "role": "subscribeonly",
  "cache": "myCache",
  "topic": "test-topic"
}