Authentication at the edgeToru Maesaka | Software Engineer, Fastly

“The Fastly API is a RESTful API that supports all features available through the Fastly user interface”

Fastly API

• Customize how you interact with Fastly

Fastly API

• Customize how you interact with Fastly• Integrate Fastly with your system

Fastly API

• Customize how you interact with Fastly• Integrate Fastly with your system• Programmatically control Fastly

Fastly API

• Customize how you interact with Fastly• Integrate Fastly with your system• Programmatically control Fastly• Do less with Automation

Recap: Fastly API key

• Available to all customers

Recap: Fastly API key

• Available to all customers• One key per customer

Recap: Fastly API key

• Available to all customers• One key per customer• Use by including in Fastly-Key reader

Fastly API key limitations

• Key rotation can cause downtime

Fastly API key limitations

• Key rotation can cause downtime• Role based access control is not available

Recap: Fastly API key

• Key rotation can cause downtime• Role based access control is not available• Affects everyone in the organization

We’ve had lots of

feedback

And we’ve listening

API TokensDesigned to solve API Key limitations

API Tokens

• API Tokens are available per user

API Tokens

• API Tokens are available per user• Users can create multiple tokens

API Tokens

• API Tokens are available per user• Users can create multiple tokens• Two-factor Authentication

API Tokens

• API Tokens are available per user• Users can create multiple tokens• Two-factor Authentication• RBAC / Token Authorization

API Tokens

• API Tokens are available per user• Users can create multiple tokens• Two-factor Authentication• RBAC / Token Authorization• Zero downtime token rotation

Token Authorization

• Just the right amount of power

Token Authorization

• Pinning a Token to a Service

Token Authorization

• Pinning a Token to a Service ✔

Token Authorization

• Authorization Scope

Scope Description

api-key Same access level as an API Key (default)

purge Purge with surrogate-key and URL

purge_all Purge an entire service

Creating a token

POST /tokens

curl -H “Fastly-OTP: 123456” \ -d “username=me@foo.bar&password=$SECRET” \ -d “name=purge_token” \ -d “scope=purge” \ https://api.fastly.com/tokens

Creating a token

POST /tokens

curl -H “Fastly-OTP: 123456” \ -d “username=me@foo.bar&password=$SECRET” \ -d “name=purge_token” \ -d “scope=purge” \ https://api.fastly.com/tokens

{ “id”: "5YvQH3Rg4bPPkhvPC6WFm2", “user_id”: "1dZ0KVnlsFXc3ZiW9hsAb3", “access_token”: "a103bb87a7b4c71ff932f871dd19dabc", “service_id”: null, “name”: "Fastly API Token", “scope”: "api-key" “created_at”: 2016-06-21T23:04:20+00:00" }

{ “id”: "5YvQH3Rg4bPPkhvPC6WFm2", “user_id”: "1dZ0KVnlsFXc3ZiW9hsAb3", “access_token”: "a103bb87a7b4c71ff932f871dd19dabc", “service_id”: null, “name”: "Fastly API Token", “scope”: "api-key" “created_at”: 2016-06-21T23:04:20+00:00" }

Revoking a token

DELETE /tokens/self Revokes a token used in the request

DELETE /tokens/:id Revokes a token based on token id

Other features

GET /tokens/self Get basic information about the token

GET /tokens List a user’s provisioned tokens

GET /customer/:id/tokens List all tokens associated to a customer (for superuser)

Where to from here?

Documentation available at:

• https://docs.fastly.com/api/auth