Authentication¶
BinDist uses API key authentication to secure all API endpoints.
API Key Format¶
The shape of the API key depends on which deployment you're talking to.
Hosted (api.bindist.eu)¶
On the hosted, multi-tenant deployment, API keys follow the format {tenantId}.{secret}:
- Tenant ID: A UUID issued when your customer account is created.
- Secret: A randomly generated secret, returned once when the key is provisioned.
The two are joined by a literal dot. Example:
A bare secret without the tenant prefix will be rejected.
Self-hosted (single-tenant)¶
On a self-hosted, single-tenant deployment there is only one possible tenant, so the tenant prefix is unnecessary. You can pass just the secret as your API key.
Sending Your API Key¶
Include your API key in the Authorization header using Bearer authentication:
Alternatively, you can use the X-API-Key header:
Example Request¶
Key Types¶
BinDist uses two types of API keys:
Admin Keys¶
Admin keys provide full access to manage your account:
- Create and manage applications
- Upload new versions
- Create customer API keys
- View activity logs
- Manage backups
Customer Keys¶
Customer keys provide read-only access:
- List accessible applications
- List versions
- Download files
Security Best Practices¶
Never Expose Your API Key
- Don't commit API keys to version control
- Don't include API keys in client-side JavaScript
- Use environment variables or secure secret management
Regenerate Compromised Keys
If you suspect your API key has been compromised, regenerate it immediately from the Account page.
Storing API Keys Securely¶
Warning
Add .env to your .gitignore file!
For production environments, use a secret manager like AWS Secrets Manager, HashiCorp Vault, or similar.
Error Responses¶
Missing API Key¶
{
"success": false,
"error": {
"code": "UNAUTHORIZED",
"message": "Missing authentication token"
}
}