Authentication and Permissions
Learn how to secure your Dreambase projects with authentication methods, API keys, and role-based permissions.
const session = await account.createEmailSession('user@example.com', 'password123');
curl -X POST https://api.example.com/v1/account/sessions/email \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "password123"
}'
{
"userId": "user_abc123",
"sessionId": "sess_xyz789",
"$createdAt": "2024-01-01T00:00:00.000+00:00"
}
Overview
Secure your Dreamscript projects using API keys for server-side access, JWT tokens for user sessions, and role-based access control (RBAC) for permissions. Dreamscript supports multiple authentication flows to fit your needs, from anonymous sessions to full OAuth integrations.
Always store API keys and tokens securely. Never expose them in client-side code or public repositories. Use environment variables and rotate keys regularly.
Authentication Methods
Choose the right method based on your use case. API keys suit server-to-server communication, while user authentication handles end-user sessions.
API keys provide scoped access to Dreamscript services. Generate them from your project dashboard.
Generate API Key
Navigate to your project settings in the Dreamscript console and create a new API key with the required scopes.
Use in Requests
Add the key to the X-API-Key header in API calls.
Your generated API key, e.g., YOUR_API_KEY.
const response = await fetch('https://api.example.com/v1/databases', {
headers: {
'X-API-Key': 'YOUR_API_KEY',
'Content-Type': 'application/json'
}
});
import requests
response = requests.get(
'https://api.example.com/v1/databases',
headers={'X-API-Key': 'YOUR_API_KEY'}
)
curl -H "X-API-Key: YOUR_API_KEY" \
https://api.example.com/v1/databases
Handle user signups, logins, and sessions with email/password or OAuth providers.
Managing Permissions and Roles
Define granular permissions on resources like databases and storage buckets. Use roles such as role:all, role:users[any], or custom user IDs.
Permissions follow the format resource:action[role]. Examples:
| Permission | Description |
|---|---|
document:read | Read any document |
document:write(role:member) | Write for members only |
any:delete(user:USER_ID) | Delete by specific user |
Permission string, e.g., document:read(role:users[any]).
Implementation Example
Set up a protected database collection.
// Create collection with permissions
const collection = await databases.createCollection(
'DATABASE_ID',
'COLLECTION_ID',
'users',
['*'],
[
{ permission: 'read', role: 'role:guest' },
{ permission: 'write', role: 'users[$userId]' }
]
);
# Similar Python implementation using requests
Security Best Practices
Follow these guidelines to maintain secure access:
Rotate Keys
Generate new keys periodically and revoke old ones.
Least Privilege
Assign minimal scopes needed for each key.
HTTPS Only
All API calls must use HTTPS.
Audit Logs
Enable logging to monitor access.
For production, integrate with external identity providers like Auth0 or Google OAuth via Dreamscript's OAuth2 endpoints.
Last updated 1 week ago