Authentication Guide

Learn how to set up and manage API keys for secure access to the ZoneweaverAPI.

Table of contents

  1. Overview
  2. API Key Format
  3. Getting Your First API Key
    1. Bootstrap Method (First Install)
  4. Using API Keys
    1. In HTTP Requests
    2. In Frontend Applications
  5. Managing API Keys
    1. Generate Additional API Keys
    2. List Existing API Keys
    3. Get Current API Key Information
    4. Revoke API Keys
    5. Delete API Keys
  6. Security Best Practices
    1. 1. Environment Variables
    2. 2. Different Keys for Different Uses
    3. 3. Regular Key Rotation
    4. 4. Monitor Key Usage
  7. Configuration Options
  8. Troubleshooting
    1. Invalid API Key Errors
    2. Bootstrap Endpoint Disabled
    3. Missing Authorization Header

Overview

The ZoneweaverAPI uses Bearer token authentication with API keys. All requests must include a valid API key in the Authorization header.

API Key Format

ZoneweaverAPI keys use the following format:

wh_[random_string]

Example: wh_abc123def456ghi789jkl012mno345pqr678stu901vwx234yz

Getting Your First API Key

Bootstrap Method (First Install)

On a fresh installation, use the bootstrap endpoint to generate your first API key:

curl -X POST https://your-server:5001/api-keys/bootstrap \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Initial Setup",
    "description": "Bootstrap API key for initial configuration"
  }'

Response:

{
  "api_key": "wh_abc123def456...",
  "entity_id": 1,
  "name": "Initial Setup",
  "description": "Bootstrap API key for initial configuration",
  "message": "API key generated successfully",
  "note": "Bootstrap endpoint will be auto-disabled for future requests"
}

⚠️ Important: The bootstrap endpoint is automatically disabled after first use for security.

Using API Keys

In HTTP Requests

Include the API key in the Authorization header:

curl -H "Authorization: Bearer wh_your_api_key_here" \
  https://your-server:5001/stats

In Frontend Applications

const apiKey = 'wh_your_api_key_here';

fetch('https://your-server:5001/zones', {
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json'
  }
})
.then(response => response.json())
.then(data => console.log(data));

Managing API Keys

Generate Additional API Keys

Once you have your first API key, you can generate additional keys:

curl -X POST https://your-server:5001/api-keys/generate \
  -H "Authorization: Bearer wh_your_existing_key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Frontend Application",
    "description": "API key for the web frontend"
  }'

List Existing API Keys

View all API keys (without exposing the actual key values):

curl -H "Authorization: Bearer wh_your_api_key" \
  https://your-server:5001/api-keys

Get Current API Key Information

Check information about the API key you’re currently using:

curl -H "Authorization: Bearer wh_your_api_key" \
  https://your-server:5001/api-keys/info

Revoke API Keys

Deactivate an API key (can be reactivated later):

curl -X PUT \
  -H "Authorization: Bearer wh_your_api_key" \
  https://your-server:5001/api-keys/1/revoke

Delete API Keys

Permanently delete an API key:

curl -X DELETE \
  -H "Authorization: Bearer wh_your_api_key" \
  https://your-server:5001/api-keys/1

Security Best Practices

1. Environment Variables

Store API keys in environment variables, not in code:

export ZONEWEAVER_API_KEY="wh_your_api_key_here"

const apiKey = process.env.ZONEWEAVER_API_KEY;

2. Different Keys for Different Uses

Create separate API keys for:

  • Frontend applications
  • Backend services
  • Development/testing
  • Administrative tasks

3. Regular Key Rotation

Periodically regenerate API keys:

  1. Generate a new key
  2. Update applications to use the new key
  3. Delete or revoke the old key

4. Monitor Key Usage

Check the last_used field to identify unused keys:

curl -H "Authorization: Bearer wh_your_api_key" \
  https://your-server:5001/api-keys

Configuration Options

Configure API key behavior in /etc/zoneweaver-api/config.yaml:

api_keys:
  # Enable/disable bootstrap endpoint
  bootstrap_enabled: true
  
  # Auto-disable bootstrap after first use
  bootstrap_auto_disable: true
  
  # API key length (characters after wh_ prefix)
  key_length: 32
  
  # Bcrypt hash rounds for storing keys
  hash_rounds: 12

Troubleshooting

Invalid API Key Errors

Error: 401 Unauthorized - Invalid API key

Solutions:

  1. Verify the API key format includes wh_ prefix
  2. Check that the key hasn’t been revoked
  3. Ensure the Authorization header is properly formatted
  4. Verify the key exists in the database

Bootstrap Endpoint Disabled

Error: 403 Forbidden - Bootstrap endpoint disabled

Solutions:

  1. Use an existing API key to generate new keys
  2. If no keys exist, manually enable bootstrap in config:
    api_keys:
  bootstrap_enabled: true
  3. Restart the service: svcadm restart zoneweaver-api

Missing Authorization Header

Error: 401 Unauthorized - API key required

Solution: Include the Authorization header in your request: ```bash -H “Authorization: Bearer wh_your_api_key”