Authentication overview

Pantry offers a simplified approach to data storage, primarily designed for use cases requiring minimal setup and rapid deployment, such as small data storage, rapid prototyping, and serverless application backends. Its authentication model is built around two primary access configurations for a "Pantry" (a single JSON data store): public and protected. This design allows developers to choose between immediate public access for certain data or restricted access using an API key for sensitive information.

For public Pantries, no authentication is required for read, write, or update operations. This can be beneficial for data intended to be broadly accessible without credential management overhead. Conversely, protected Pantries require a unique API key, often referred to as a "Pantry ID" or "Secret Key," to authorize all interactions. This key serves as the primary credential for ensuring that only authorized requests can modify or retrieve data from a specific protected Pantry. The choice between these modes depends on the data's sensitivity and the application's security requirements, aligning with authentication principles in API design that balance accessibility and security.

Pantry's system does not implement more complex authentication schemes like OAuth 2.0 or mutual TLS, prioritizing ease of use over enterprise-grade security features. This focus makes it suitable for projects where the overhead of managing tokens or certificates would outweigh the benefits, such as personal projects or proof-of-concept applications. The simplicity extends to credential management, which is handled directly through the Pantry web interface during Pantry creation and configuration.

Supported authentication methods

Pantry's authentication mechanism is straightforward, supporting one primary method for securing access to data, alongside an option for completely public access. The system does not utilize standard authorization protocols such as OAuth 2.0 or more complex token-based systems. Instead, it relies on a discrete API key embedded directly within request URLs or headers for protected resources.

API Key (Secret Key)

The API Key, often referred to as the "Pantry ID" or "Secret Key," is the sole method for authenticating requests to a protected Pantry. This key is a unique identifier assigned to each protected Pantry upon creation. When making requests to a protected Pantry, this key must be included to grant access. Without the correct key, all API requests to a protected Pantry will be rejected.

  • When to use: For any Pantry containing sensitive or private data that should not be publicly accessible. This method secures both read and write operations.
  • How it works: The key identifies the specific Pantry and authenticates the requester. It acts as both an identifier and a secret.

Public Access (No Authentication)

Pantry also provides an option for completely public access. When a Pantry is configured for public access, no authentication credentials are required for any API operation. This means that anyone with knowledge of the Pantry's public URL can read, write, and update its data.

  • When to use: For data that is intentionally public, such as configuration files, static content for a website, or data collected from public sources. Ideal for prototyping where security is a secondary concern.
  • How it works: The API endpoint for a public Pantry does not require an API key, making it universally accessible.

Authentication methods summary

Method When to Use Security Level
API Key (Secret Key) Accessing protected Pantries with sensitive or private data. Moderate (relies on key secrecy).
Public Access (No Authentication) Accessing Pantries with publicly available or non-sensitive data. Low (no access control).

Getting your credentials

Accessing your Pantry credentials, specifically the API key (Secret Key), is managed through the Pantry web interface. This process is integral to setting up and securing your projects on the platform.

Creating a new Pantry and obtaining its Secret Key

  1. Sign Up/Log In: Navigate to the Pantry homepage and either sign up for a new account or log in to an existing one.
  2. Create a New Pantry: Once logged in, you will typically find an option to "Create a New Pantry" or similar. Click this to begin the process.
  3. Configure Pantry Settings: During Pantry creation, you will be prompted to name your Pantry and, crucially, to set its access level. You will need to decide whether the Pantry should be "Public" or "Protected."
  4. Generate Secret Key: If you select "Protected," Pantry will automatically generate a unique Secret Key for this specific Pantry. This key is your primary credential for authenticating requests to it.
  5. Record Your Key: The Secret Key will be displayed on the screen once the Pantry is created. It is critical to copy and securely store this key immediately, as Pantry may not display it again for security reasons. If the key is lost, you may need to regenerate it, which could invalidate existing integrations.

Managing existing Pantry credentials

For existing Pantries, you can view and manage their settings, including obtaining or regenerating Secret Keys, by navigating to your dashboard:

  1. Access Dashboard: Log in to your Pantry account and go to your dashboard, which lists all your created Pantries.
  2. Select Pantry: Click on the specific Pantry for which you need the Secret Key.
  3. View/Regenerate Key: Within the Pantry's details or settings section, you should find an option to view the existing Secret Key (though it might be partially masked) or to regenerate a new one. Regenerating a key will immediately invalidate the old one, requiring updates in all your applications using that Pantry.

For detailed, step-by-step instructions with screenshots, refer to the official Pantry documentation. This resource provides the most current information regarding credential management and API usage.

Authenticated request example

Authenticating requests to a protected Pantry involves including the Secret Key (Pantry ID) in the request URL. Pantry's API design for protected resources typically expects the Secret Key as part of the endpoint path. The following example demonstrates how to perform a GET request to retrieve data from a protected Pantry using curl, a common command-line tool.

Assume your Secret Key is your_secret_pantry_id_12345 and you want to retrieve the entire content of your Pantry.

Retrieving data from a protected Pantry (GET)

curl -X GET "https://pantry.cloud/apiv1/pantry/your_secret_pantry_id_12345"

Explanation:

  • curl -X GET: Specifies that this is an HTTP GET request to retrieve data.
  • "https://pantry.cloud/apiv1/pantry/your_secret_pantry_id_12345": This is the API endpoint URL. The your_secret_pantry_id_12345 segment in the path is where your actual Secret Key must be inserted. Pantry uses this segment to identify and authenticate access to the specific protected resource.

Storing or updating data in a protected Pantry (POST/PUT)

To store or update data, you would use a POST or PUT request, also including the Secret Key in the URL, and provide the JSON data in the request body.

curl -X POST \
     -H "Content-Type: application/json" \
     -d '{"item": "milk", "quantity": 2}' \
     "https://pantry.cloud/apiv1/pantry/your_secret_pantry_id_12345"

Explanation:

  • curl -X POST: Specifies that this is an HTTP POST request to create or update data.
  • -H "Content-Type: application/json": Sets the Content-Type header, indicating that the request body contains JSON data.
  • -d '{"item": "milk", "quantity": 2}': Provides the JSON payload that will be stored in your Pantry.
  • "https://pantry.cloud/apiv1/pantry/your_secret_pantry_id_12345": The same endpoint structure as for GET, including your Secret Key.

These examples illustrate the core mechanism for authenticating with Pantry. The Secret Key is consistently passed as part of the URL path for all authenticated operations. For more complex interactions, such as managing specific data points within a Pantry, refer to the Pantry API reference documentation.

Security best practices

While Pantry prioritizes simplicity, implementing fundamental security best practices is crucial, especially when using protected Pantries with API keys. Adhering to these guidelines helps mitigate risks associated with unauthorized access and data compromise.

1. Protect your Secret Keys

Your Pantry Secret Key is the primary means of accessing your protected data. Treat it like a password.

  • Never hardcode keys: Avoid embedding Secret Keys directly into your application's source code, especially for client-side applications or publicly accessible repositories.
  • Use environment variables: For server-side applications, store Secret Keys in environment variables. This keeps them out of your codebase and allows for easy rotation without code changes.
  • Secure configuration files: If using configuration files, ensure they are not publicly accessible and have strict file permissions.
  • Do not expose in client-side code: For web applications, never expose your Secret Key in client-side JavaScript or other front-end code, as it can be easily extracted by users. Use a backend proxy to make requests to Pantry from your client-side application.

2. Regularly rotate Secret Keys

Periodically generating a new Secret Key for your protected Pantries helps reduce the risk of compromise. If a key is leaked, rotating it ensures that the old, compromised key becomes invalid.

  • Scheduled rotation: Implement a routine for key rotation, perhaps every 90 days or as per your organization's security policy.
  • Immediate rotation upon suspected compromise: If you suspect a Secret Key has been exposed or compromised, regenerate it immediately via the Pantry dashboard.

3. Limit data sensitivity

Given Pantry's lightweight security model, it is generally not recommended for storing highly sensitive personal data (e.g., personally identifiable information, financial data, health records) or data requiring stringent compliance standards (e.g., HIPAA, PCI DSS). While a Secret Key offers protection, the platform's design is not geared towards the advanced security measures found in enterprise databases.

  • Evaluate data: Before storing data, assess its sensitivity. Consider if a more robust, compliant database solution is necessary for truly critical information.
  • Anonymize or encrypt: If you must store semi-sensitive data, consider anonymizing it or encrypting it client-side before sending it to Pantry. Note that client-side encryption adds complexity and requires careful key management on your end.

4. Use HTTPS exclusively

Always ensure all communications with the Pantry API are conducted over HTTPS. Pantry inherently uses HTTPS for its API endpoints, which encrypts data in transit, protecting your Secret Keys and data from eavesdropping during transmission. This aligns with standard practices for secure web communication.

5. Implement rate limiting and error handling (on your side)

While Pantry may have its own limits, implementing rate limiting and robust error handling in your application can prevent abuse and improve resilience.

  • Prevent brute-force attacks: If your application logic relies on Pantry for critical operations, implement rate limiting on your server to prevent an attacker from repeatedly trying to guess or misuse a key if they gain partial access.
  • Graceful degradation: Design your application to handle API errors gracefully, such as when a key is invalid or a request is malformed.

By following these best practices, developers can leverage Pantry's simplicity while maintaining an appropriate level of security for their applications and data.