Operator API Keys

Owned by Benedict Häfeli
Last updated: Mar 13, 2023
3 min read

This is a limited feature and not currently available to the general public.

Yellow API keys are not used for communicating with the REST-API as is usually the case with API keys. You can use http basic auth to talk to the API in a convenient way.

Rather, API keys are a special way to facilitate passwordless login for some types of operator users for a specific camera.

How to use API keys

 

If you are authorised to manage API keys, you will see a new menu item in the sidebar:

 

 

 

 

 

 

 

 

 

 

 

Clicking on it will take you to a page for managing your keys. Do note that the key you are seeing in the table is not the full key, merely the first 8 characters. In order to see the full key, right-click on the entry in the table and select the option “see full token”. If you do not see any entries in the table, you don’t have any API keys and will need to create one first. Read further down to see how to do that.

Once you have copied the full key, using it is very straightforward. In your browser toolbar, enter the URL

https://api.yellow.camera/apikey?key=<insert token here>

This will redirect you to the proper place in the portal with a session already created, however, please take note that after successful authentication, the key will be blocked for 60 seconds, so you cannot do this multiple times in quick succession. See ‘API Key limitations’ further down for more information.

Creating API keys

Creating api keys is very simple. Just click on the create button in the top right of the screen, choose a user and a camera, then click create:

However, there are some conditions here:

  • You must be a superuser or admin.

  • You can only select users and cameras that you yourself have permission for.

  • Api keys can only be created for operator level users.

  • Api keys can only be created for cameras that have a peripheral enabled that supports API keys. Right now, this is only the bmetry peripheral.

  • The user you select must have permission for the camera you select, otherwise creation will fail.

API Key limitations

The operator keys are a potential security risk, as they allow full authentication through a key that is essentially public. Since they have to be QR-code compatible, the keys need to be submitted in the url query string, which means it will be persisted by the users browser history. In order to not compromise operational security, These keys can therefore only be created for operator users, which do not have permission to query image data from the portal. In addition to that, the authentication endpoint will only accept one request per minute! After a successful authentication, any further authentication requests for the same key within sixty seconds will be answered with 403 - forbidden.