Authentication overview

Final Space secures access to its video infrastructure APIs through an authentication process that verifies the identity of applications and users. This mechanism ensures that only authorized entities can interact with services for video encoding, live streaming, content management, and AI video processing. The primary method for authentication involves the use of API keys, which are unique identifiers issued to developers or applications. These keys serve as credentials to confirm that incoming API requests originate from a legitimate source associated with a Final Space account.

When an API key is included in a request, Final Space's systems validate it against registered keys. Successful validation grants the request access to the specified API endpoints and resources, subject to the permissions associated with that key. This approach is common in RESTful API designs due to its simplicity and effectiveness in managing access control for server-to-server and application-to-server communications. Implementing authentication is a foundational step in integrating with Final Space's scalable video infrastructure, ensuring the confidentiality, integrity, and availability of video assets and related data.

Supported authentication methods

Final Space primarily supports API key authentication for its platform. This method is suitable for most integration scenarios, including server-side applications, backend services, and command-line tools. While API keys are the standard, the platform's underlying security infrastructure also relies on secure communication protocols.

API Key Authentication

API keys are long, randomly generated strings that act as both an identifier and a secret token. When you make a request to a Final Space API endpoint, you include your API key in the request header or as a query parameter, depending on the specific endpoint's requirements. The Final Space documentation provides specific guidance on where to place the API key for different operations, typically recommending the Authorization header for enhanced security Final Space API Authentication Headers.

Method When to Use Security Level
API Key Server-side applications, backend services, CLIs, integrations where the key can be securely stored. High (when stored securely and transmitted over HTTPS)

Secure Communication

All interactions with the Final Space API must occur over HTTPS (Hypertext Transfer Protocol Secure). HTTPS encrypts the communication channel between your application and Final Space's servers, protecting API keys and other sensitive data from interception during transit. This is a critical security measure that complements API key authentication, as described by network security best practices for web APIs Mozilla Web Security Contexts.

Getting your credentials

To begin integrating with Final Space, you need to obtain your API key. This process is managed through the Final Space developer dashboard.

  1. Sign Up or Log In: Navigate to the Final Space homepage and either sign up for a new account or log in to your existing one. A free tier is available, offering 5 GB storage, 10 GB bandwidth, and 100 minutes of encoding per month, which is sufficient for initial testing and development.
  2. Access the Dashboard: Once logged in, locate and access your developer dashboard. This is typically accessible via a 'Dashboard' or 'My Account' link.
  3. Navigate to API Settings: Within the dashboard, look for a section related to 'API Keys', 'Developer Settings', or 'Integrations'. The exact path may vary, but it will be clearly labeled for API access controls. Consult the Final Space Getting Started Guide for API Keys if you encounter difficulty.
  4. Generate a New API Key: You will find an option to generate a new API key. It's common practice to generate separate keys for different applications or environments (e.g., development, staging, production) to facilitate key rotation and granular access control. When generating a key, you may be prompted to assign it a name or description for easier identification later.
  5. Copy and Secure Your Key: After generation, your API key will be displayed. It is crucial to copy this key immediately and store it securely. Final Space generally displays the full key only once for security reasons, and you will not be able to retrieve it again if lost. If a key is lost, it must be revoked, and a new one generated.

Each API key is associated with your account and inherits the permissions granted to your account, or specific permissions if the platform supports role-based access control for keys. Review the Final Space API Key Management Guidelines for detailed information on managing key permissions and lifecycles.

Authenticated request example

Once you have obtained your API key, you can use it to make authenticated requests to the Final Space API. The following example demonstrates how to make a simple request to list video assets using Python, a primary language for Final Space API examples.


import requests
import os

# It's best practice to store your API key as an environment variable
FINAL_SPACE_API_KEY = os.environ.get("FINAL_SPACE_API_KEY")

if not FINAL_SPACE_API_KEY:
    raise ValueError("FINAL_SPACE_API_KEY environment variable not set.")

API_BASE_URL = "https://api.finalspace.com/v1"
ENDPOINT = "/videos" # Example endpoint for listing videos

headers = {
    "Authorization": f"Bearer {FINAL_SPACE_API_KEY}",
    "Content-Type": "application/json"
}

try:
    response = requests.get(f"{API_BASE_URL}{ENDPOINT}", headers=headers)
    response.raise_for_status() # Raise an exception for HTTP errors (4xx or 5xx)

    print("Successfully retrieved video list:")
    print(response.json())

except requests.exceptions.RequestException as e:
    print(f"An error occurred: {e}")
    if hasattr(e, 'response') and e.response is not None:
        print(f"Response status code: {e.response.status_code}")
        print(f"Response body: {e.response.text}")

This Python example illustrates:

  • Environment Variables: Storing the API key as an environment variable (FINAL_SPACE_API_KEY) is a recommended security practice to avoid hardcoding sensitive credentials directly in your source code.
  • Authorization Header: The API key is passed in the Authorization header using the Bearer scheme. This is a common convention for token-based authentication in RESTful APIs.
  • Error Handling: The code includes basic error handling to catch network issues or API-specific errors. Checking response.raise_for_status() and inspecting the response body for further details is crucial for robust integration.

For additional code examples in other supported SDKs like JavaScript, Ruby, PHP, and Go, refer to the Final Space API Reference.

Security best practices

Securing your Final Space API integration involves more than just obtaining an API key. Adhering to security best practices helps protect your applications and user data.

  1. Keep API Keys Confidential: Your API keys are essentially passwords to your Final Space account. Never hardcode them directly into client-side code (e.g., frontend JavaScript), public repositories, or commit them to version control systems without encryption. Use environment variables, secret management services (like AWS Secrets Manager, Google Secret Manager, or Azure Key Vault), or secure configuration files.
  2. Use HTTPS Everywhere: Always ensure that all communication with the Final Space API uses HTTPS. This encrypts data in transit, preventing eavesdropping and tampering. Final Space enforces HTTPS, but it's good practice to verify your client-side configurations also enforce it.
  3. Implement Least Privilege: If Final Space offers granular permissions for API keys, assign only the minimum necessary permissions required for a specific application or service. For instance, if an application only needs to upload videos, do not grant it permission to delete them. This limits the damage if a key is compromised.
  4. Rotate API Keys Regularly: Periodically rotate your API keys. This means generating a new key, updating your applications to use the new key, and then revoking the old key. Regular rotation reduces the window of opportunity for a compromised key to be exploited. The frequency of rotation depends on your security policies and risk assessment.
  5. Monitor API Usage: Regularly monitor your API usage through the Final Space dashboard. Look for unusual patterns or spikes that could indicate unauthorized access or abuse of your API keys. Set up alerts if the dashboard provides such functionality.
  6. Secure Your Development Environment: Ensure that your development machines and build pipelines are secure. Malicious software or insecure configurations in your development environment could expose your API keys.
  7. Validate and Sanitize Inputs: When sending data to the Final Space API, always validate and sanitize user inputs on your server side to prevent injection attacks or other vulnerabilities that could indirectly compromise your API key or the integrity of your data.
  8. Error Handling and Logging: Implement robust error handling and logging in your application. Avoid exposing sensitive information, such as API keys, in error messages or public logs. Log key events securely for auditing and incident response.

By following these best practices, developers can significantly enhance the security posture of their applications integrating with Final Space, protecting both their own and their users' data. For further security guidance, consult the Final Space Security Overview and general API security recommendations from industry authorities like the OWASP API Security Project.