Skip to content

Node API: Authorization

RPC API

There are no authorization built into the RPC API, all users have full access to all API methods.

REST API

The REST API have role based access control. Key and roles is controlled through the appsettings.json file.

1
"Roles": [ "User", "Admin" ]

Authorization is handled through tags on controllers or operations.

Here is example taken from the Shutdown operation, which is only accessible for admin keys:

1
2
3
4
5
6
7
8
9
[Authorize(Policy = "OnlyAdmins")]
[HttpPost]
[Route("shutdown")]
[Route("stop")]
public IActionResult Shutdown([FromBody] bool corsProtection = true)
{
    this.fullNode?.NodeLifetime.StopApplication();
    return this.Ok();
}

Unauthorized (401)

When a request is not authorized with the API key, it will return an HTTP 401 Unauthorized result. If you get HTTP 500 error, that means there might be a configuration or other issues with the node.

The JSON body result will be:

1
2
3
4
5
{
  "type": "https://httpstatuses.com/401",
  "title": "Unauthorized",
  "status": 401
}
Last update: 2021-10-24