Skip to content

Application Credentials

Kaleido allows the generation and validation of strong generated Application Credentials.

By default in any Kaleido node, these credentials are verified over HTTPS with Basic Authentication headers.

With the addition of the Blockchain Application Firewall the same API Keys can be supplied in any of the following ways:

  • Using Basic Authentication headers
  • Bearer token in Authorization: Bearer XYZ header
  • Bearer token in an access_token query parameter
  • Custom header
  • Custom query parameter
  • Custom cookie

It might take a short time for new or regenerated application credentials to be authenticated by the blockchain application firewall after they are created (up to 2 mins)

Claim Mapping for Application Credentials

The only information established about a connection authenticated with Application Credentials, is the id of the Application Credential that was used to connect.

As such, the only two Claim Mappings recommended for assigning a ruleset to an Application Credential connection are as follows:

  • {"id": "u0abcd1234"} - an exact match against the credential id
    • See Multi-tenant nodes for dynamic generation of these rules based on configured tenants
  • {"id": ".+"} - regular expression that matches any authenticated credential

The secret part of the Application Credential can be regenerated without changing the id

Example Configuration

  "appcreds": {
    "enabled": true,
    "basicAuth": true,     // Enable via "Authorization: Basic BASE64CREDS" header
    "bearer": true,        // Enable via "Authorization: Bearer SECRETKEY" header
    "header": "X-Api-Key", // Enable via "X-Api-Key: SECRETKEY" header
    "query": "apikey",     // Enable via "?apikeys=SECRETKEY" query parameter
    "cookie": "apikey",    // Enable via "apikey=SECRETKEY" cookie
    "mappings": [
        "claims": {"id": "u0abcd1234"}, // Configure a special key to assign to an admin role
        "ruleset": "admin-rules"
        "claims": {"id": ".+"},         // Assign all other authenticated keys to a reduced set of permissions
        "ruleset": "user-rules"

The full schema for the appcreds section is described in the details of the POST to configurations in