Authentication

The runtime APIs exposed by all blockchain nodes and services in Kaleido are secured with strong generated credentials.

We call these Application Credentials, and should be generated and managed for each application that accesses your runtime infrastructure.

Per Member, Per Environment

When you generate and application credential, it is scoped to your membership of a consortium, within a particular environment.

  • Membership Org1s app credential will not work against membership Org2s resources
  • The same app credential will work against Node 1, Node 2 and HD Wallet 1 in the same environment, as long as they are owned by the same Org1 membership
  • An app credential created by Org1 for environment Env1 will not work for a resource in Env2

Generating App Credentials

Add new application credentials from an environment:

Add App Credential to an Environment

Choose the membership to scope the application credential to:

Create Application Credential

Ensure you copy out the credential - Kaleido does not store it

Copy your App Credentials

Supplying Application Credentials in API Calls

Application credentials are supplied base64 encoded using a standard called "HTTP Basic Auth".

This standard has the wide support in client libraries and web browsers.

Postman example

The following shows how you can specify the application credentials in Postman on a simple REST API call, in this case to a HD Wallet.

App Credentials Postman Example

Raw HTTP API examples

Different libraries require you to specify the authentication in different ways. In all cases the end result is taking the strong generated username/password combination, base64 encoding them and then passing them to the API over an Authorization: Basic XYZ header.

Let's look at three different ways you can pass the same information to CURL. These represent the three most common options that client API libraries, such as Swagger/OpenAPI clients, or bespoke client libraries, allow.

1. Using a username/password special option

curl -v --user e0f0pbkxfu:iFFjRbgFDjpqR99fHMudOPCSgCFFh6QociYCLem-VPA https://e0ftkb2ckc-e0w1f5ani1-hdwallet.de0-aws.kaleido.io/api/v1/wallets
...
> Authorization: Basic ZTBmMHBia3hmdTppRkZqUmJnRkRqcHFSOTlmSE11ZE9QQ1NnQ0ZGaDZRb2NpWUNMZW0tVlBB

2. Embedding the username/password into the URL

curl -v https://e0f0pbkxfu:iFFjRbgFDjpqR99fHMudOPCSgCFFh6QociYCLem-VPA@e0ftkb2ckc-e0w1f5ani1-hdwallet.de0-aws.kaleido.io/api/v1/wallets
...
> Authorization: Basic ZTBmMHBia3hmdTppRkZqUmJnRkRqcHFSOTlmSE11ZE9QQ1NnQ0ZGaDZRb2NpWUNMZW0tVlBB

3. Supplying a raw pre-encoded base64 header

B64AUTH=$(echo -n 'e0f0pbkxfu:iFFjRbgFDjpqR99fHMudOPCSgCFFh6QociYCLem-VPA' | base64)
curl -v -H "Authorization: Basic $B64AUTH" https://@e0ftkb2ckc-e0w1f5ani1-hdwallet.de0-aws.kaleido.io/api/v1/wallets
...
> Authorization: Basic ZTBmMHBia3hmdTppRkZqUmJnRkRqcHFSOTlmSE11ZE9QQ1NnQ0ZGaDZRb2NpWUNMZW0tVlBB