Authentication overview

Web3 Storage provides a service layer over decentralized storage networks such as IPFS and Filecoin, enabling developers to store and retrieve data for Web3 applications. Access to these services is controlled through authentication mechanisms that ensure only authorized entities can interact with stored content and account resources. The primary method for authenticating requests to the Web3 Storage API is via API tokens, also referred to as API keys.

An API token acts as a unique identifier and secret key, granting programmatic access to your Web3 Storage account. When a request is made to the Web3 Storage API, this token is included in the request headers to verify the identity and permissions of the caller. This model is common among cloud API providers, where a token represents the authorization to perform specific actions on behalf of a user or application.

Web3 Storage’s use of API tokens aligns with standard practices for securing API access. Unlike traditional authentication involving usernames and passwords for interactive logins, API tokens are designed for machine-to-machine communication, offering a scalable and manageable way to control access to decentralized storage infrastructure. The token-based approach is stateless, meaning the server does not need to store session information, which can simplify API design and deployment. For more detailed information on the API, refer to the Web3 Storage API reference documentation.

Supported authentication methods

Web3 Storage primarily supports API tokens for authenticating requests to its services. These tokens are generated by authenticated users through the Web3 Storage user interface and are then used programmatically to sign requests.

Method When to Use Security Level
API Token (API Key) Programmatic access to Web3 Storage API, client-side applications, server-side integrations, SDK usage. High (when stored securely and rotated regularly). Offers granular control over access.

API Tokens Explained

API tokens are long, randomly generated strings that serve as credentials for making requests to the Web3 Storage API. Each token is associated with a specific Web3 Storage account and inherits the permissions granted to that account. When an API token is included in the Authorization header of an HTTP request, the Web3 Storage API validates the token to confirm the requestor's identity and determine if they are authorized to perform the requested action, such as uploading a file or retrieving content details.

This method is suitable for a wide range of applications, from backend services managing data on behalf of users to client-side applications that need direct interaction with Web3 Storage. The Web3 Storage client libraries (SDKs) for JavaScript client library, Python, Go, and Rust are designed to facilitate the secure inclusion of these API tokens in your application's requests, abstracting away the underlying HTTP header management.

Getting your credentials

To obtain an API token for Web3 Storage, you must first have a registered account. The process involves generating the token directly through the Web3 Storage web interface. Follow these steps:

  1. Create an Account: Navigate to the Web3 Storage login page and sign up if you don't already have an account. You can typically sign in using an email address and password, or through Web3 wallet providers.
  2. Access the Dashboard: Once logged in, you will be redirected to your Web3 Storage dashboard.
  3. Navigate to API Tokens: Look for a section or tab labeled 'API Tokens' or 'Manage API Keys' within the dashboard navigation.
  4. Generate New Token: Click on a button or link that allows you to 'Create new token' or 'Generate API token'. You may be prompted to provide a descriptive name for your token, which helps with organization and revocation later.
  5. Copy the Token: After generation, the API token will be displayed. It is crucial to copy this token immediately and store it in a secure location, as it is often shown only once and cannot be retrieved again for security reasons. If the token is lost, you will need to generate a new one.

Each generated API token is unique and grants access to your account's resources. Best practice suggests creating separate tokens for different applications or environments (e.g., development, staging, production) to enable easier revocation and management if a token is compromised or no longer needed. For more guidance, see the Web3 Storage documentation on managing API tokens.

Authenticated request example

Authenticating requests to the Web3 Storage API involves including your API token in the Authorization header. The token should be prefixed with Bearer, consistent with the OAuth 2.0 Bearer Token usage specification. Below are examples demonstrating how to make an authenticated request using curl and a JavaScript client library.

CURL Example

This example demonstrates uploading a file using the curl command-line tool. Replace YOUR_API_TOKEN with your actual Web3 Storage API token and /path/to/your/file.txt with the path to the file you wish to upload.

curl -X POST \ 
  -H "Authorization: Bearer YOUR_API_TOKEN" \ 
  -F "file=@/path/to/your/file.txt" \ 
  https://api.web3.storage/upload

JavaScript Example (using @web3-storage/w3up-client)

The Web3 Storage JavaScript client library simplifies authentication and interaction with the API. This example shows how to configure the client with your API token and upload a file.

import { Web3Storage } from 'web3.storage';

function getAccessToken() {
  return process.env.WEB3STORAGE_TOKEN; // Ensure token is securely loaded from environment variables
}

function makeStorageClient() {
  return new Web3Storage({ token: getAccessToken() });
}

async function storeFiles(files) {
  const client = makeStorageClient();
  const cid = await client.put(files);
  console.log('Stored files with CID:', cid);
  return cid;
}

// Example usage:
// const myFiles = [new File(['Hello Web3 Storage!'], 'hello.txt')];
// storeFiles(myFiles);

In this JavaScript example, the API token is passed during the client initialization. The client library then handles the construction of the appropriate HTTP headers for all subsequent requests. For comprehensive usage, refer to the Web3 Storage documentation on uploading data using their client libraries.

Security best practices

Securing your API tokens is critical to maintaining the integrity and confidentiality of your data stored on Web3 Storage. Adhering to security best practices helps prevent unauthorized access and potential misuse of your account. These practices are standard for any API key management, as outlined in general API security guidelines, such as those provided by Google Developers on API security best practices.

  • Store Tokens Securely: Never hardcode API tokens directly into your source code, especially for public repositories. Instead, store them in environment variables, secret management services (e.g., AWS Secrets Manager, Google Secret Manager), or secure configuration files that are not committed to version control. For client-side applications, consider using proxy servers to make API calls, preventing tokens from being exposed in browser-side code.

  • Use Environment Variables: For server-side applications, loading API tokens from environment variables (e.g., process.env.WEB3STORAGE_TOKEN in Node.js) is a common and recommended practice. This keeps sensitive information out of your codebase and allows for easy configuration across different deployment environments.

  • Principle of Least Privilege: While Web3 Storage API tokens currently grant broad access to your account (as they are account-level tokens), always strive to apply the principle of least privilege in your overall application architecture. If Web3 Storage introduces more granular permission controls in the future, configure tokens to have only the necessary permissions required for their specific task.

  • Regular Rotation: Periodically rotate your API tokens. This practice limits the window of opportunity for an attacker if a token is compromised. Generate a new token, update your applications, and then revoke the old token.

  • Monitor Usage: Regularly review your Web3 Storage account activity and API usage logs (if available). Unusual spikes in requests or unexpected data uploads/downloads could indicate a compromised token.

  • Revoke Compromised Tokens Immediately: If you suspect an API token has been compromised, revoke it immediately through the Web3 Storage dashboard. This will invalidate the token and prevent further unauthorized use.

  • Secure Development Environment: Ensure that your development environment is secure. Avoid storing API tokens on unsecured machines or in publicly accessible files. Use password managers and secure workstations.

  • HTTPS for All Communications: Always ensure that all communication with the Web3 Storage API is done over HTTPS. This encrypts data in transit, protecting your API token and payload from eavesdropping.

By implementing these security measures, developers can significantly reduce the risk of unauthorized access to their Web3 Storage resources and leverage the benefits of decentralized storage more securely.