diff --git a/APIKeys.md b/APIKeys.md new file mode 100644 index 0000000..381b82a --- /dev/null +++ b/APIKeys.md @@ -0,0 +1,65 @@ +# API Keys + +API keys can be used to access secured HTTP APIs, including the +Prometheus metrics endpoint. + +## Adding an API key + +Management of API keys is done through the API Key management page, +accessible from the drop down menu, just below the maintenance link. This +page will show you all of your API keys, including expired keys. The +green button in the top left can be used to add a new key. + +You can set the name of the key, as well as it's expiry date, or +optionally set the key to never expire. When you click generate, you +will be shown the API key in a pop up dialog, you should make sure to +make a copy of the key as it will not be shown again. The API key cannot +be used to access the web interface but you should treat API keys like +you treat your passwords as they can still be used to access potentially +sensitive data. + +Note: whilst basic authentication will continue to work after you +update, you will be unable to use basic authentication as soon as you +add your first API key. After you have added your first API key, basic +authentication for endpoints will be permanently disabled. + +## Disabling keys + +It is possible to temporarily disable keys. This can be done through the +management page. This will prevent the key from being used for +authentication until it is enabled again. + +## Expired keys + +If a key has expired, it will not be automatically deleted. This is to +aid in debugging systems that suddenly stop working. You can delete an +expired key, or any key for that matter, by simply hitting the red +delete button from the management page. + +## Authenticating using an API key + +Authentication is done by passing the API key in the `Authorization` +header. For example, here is a request made with curl to the `metrics` +endpoint. + +``` +curl -u":" uptime.kuma/metrics +``` + +Note, the `:` is required before the key as basic authentication +requires a username and password separated by a `:`, however we don't +make use of the username field. + +Here is an example config for Prometheus: + +``` + - job_name: 'uptime' + scrape_interval: 30s + scheme: http + static_configs: + - targets: ['uptime.url'] + basic_auth: + password: +``` + +Note: we don't need to set a password field as it is not used.