Skip to main content

Authentication

Understanding authentication methods for the Mesh API.

Authentication Methods

API Key Authentication

The primary authentication method for programmatic access to the Mesh API.

Header Format:

x-api-key: {api_key}
x-group: groups/{group_ulid}

Key Characteristics: API keys are generated when creating API users.

Group Context

All API operations require a group context header that specifies which group the operation should be performed within.

Purpose:

  • Provides resource isolation between different organizations
  • Enforces multi-tenancy boundaries
  • Ensures users can only access resources they own

SDK Configuration

For detailed information about configuring SDK clients, including advanced features like OpenTelemetry tracing, TLS/mTLS support, timeout handling, and resource management, see the SDK Configuration documentation.

Security Best Practices

API Key Management

  • Store API keys securely (environment variables, secret managers)
  • Never commit API keys to version control
  • Rotate API keys regularly
  • Use different API keys for different environments

Group Context Security

  • Always validate group context matches your organization
  • Don't hardcode group IDs in applications
  • Use environment-specific group configurations

Network Security

  • Use TLS in production environments
  • Consider mTLS for high-security requirements
  • Implement proper certificate validation

Access Control

  • Follow principle of least privilege when assigning roles
  • Regularly audit API user permissions
  • Deactivate unused API users promptly
Last updated on by Bernard Bussy