You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: sources/platform/integrations/programming/api.md
+43-14Lines changed: 43 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,10 +25,8 @@ To access the Apify API in your integrations, you need to authenticate using you
25
25
26
26
27
27
:::caution
28
-
29
28
Do not share the API token with untrusted parties, or use it directly from client-side code,
30
29
unless you fully understand the consequences! You can also consider [limiting the permission scope](#limited-permissions) of the token, so that it can only access what it really needs.
31
-
32
30
:::
33
31
34
32
## Authentication
@@ -54,6 +52,10 @@ By default, tokens can access all data in your account. If that is not desirable
54
52
55
53
**A scoped token can access only those resources that you'll explicitly allow it to.**
56
54
55
+
:::info
56
+
We do not allow scoped tokens to create or modify Actors. If you do need to create or modify Actors through Apify API, use an unscoped token.
57
+
:::
58
+
57
59
### How to create a scoped token
58
60
59
61
Scoped tokens behave like standard API tokens and are managed through the [Integrations](https://console.apify.com/settings/integrations) page in Apify Console. When creating a token (or updating an existing one), simply toggle "Limit token permissions" to make the token scoped.
@@ -71,9 +73,7 @@ We support two different types of permissions for tokens:
71
73
-**Resource-specific permissions**: These will apply only to specific, existing resources. For example, you can use these to allow the token to read from a particular dataset.
72
74
73
75
:::tip
74
-
75
76
A single token can combine both types. You can create a token that can _read_ any data storage, but _write_ only to one specific key-value store.
76
-
77
77
:::
78
78
79
79
@@ -85,9 +85,7 @@ If you need to create new resources with the token (for example, create a new Ta
85
85
Once you create a new resource with the token, _the token will gain full access to that resource_, regardless of other permissions. It is not possible to create a token that can create a dataset, but not write to it.
86
86
87
87
:::tip
88
-
89
88
This is useful if you want to for example create a token that can dynamically create & populate datasets, but without the need to access other datasets in your account.
90
-
91
89
:::
92
90
93
91
### Permission dependencies
@@ -108,24 +106,55 @@ Other dependencies are more complicated, and **it is your responsibility that th
108
106
- Similarly, to create or update a task, the token needs the additional permission to access the task's Actor itself.
109
107
110
108
:::tip
111
-
112
109
Let's say that you have an Actor and you want to programmatically create schedules for that Actor. Then you can create a token that has the account level _Create_ permission on schedules, but only the resource-specific _Run_ permission on the Actor. Such a token has exactly the permissions it needs, and nothing more.
113
-
114
110
:::
115
111
116
-
### Actor execution and scheduling
112
+
### Actor execution
113
+
114
+
When you run an Actor, Apify creates a new, short-lived run API token, and injects it into the Actor environment. This applies to scoped tokens as well, so when you run an Actor with a scoped token, **the Actor is executed with a different token with a different scope.**
115
+
116
+
In the scoped token configuration you can choose what scope the run API token gets, effectively determining what the Actor can access during its run.
117
+
118
+
Apify currently supports two modes:
119
+
120
+
-**Full access**: Allow Actors to access all your account's data.
121
+
-**Restricted access**: Restrict what Actors can access using the scope of this Actor.
117
122
118
-
When you run an Actor with a scoped token (or schedule one), Apify will inject a new, _unscoped_ token to the Actor. This means that **the Actor will have full access to all resources in your account**.
123
+
119
124
120
-
This way you can be sure that once you give a token the permission to run an Actor, it will just work, and you don't have to worry
121
-
about the exact permissions the Actor might need. However, this also means that you need to trust the Actor.
125
+
#### Full access: Allow Actors to access all your account's data
122
126
123
-
:::note
127
+
When you run an Actor with a scoped token in this mode, Apify will inject an _unscoped_ token to the Actor runtime.
124
128
125
-
This is why **we currently do not allow scoped tokens to create or modify Actors**. With those permissions it would be easy for the token to upload malicious code and gain access to your full account. If you do need to create or modify Actors via Apify API, you need to use an unscoped token.
129
+
This way you can be sure that once you give a token the permission to run an Actor, it will just work, and you don't have to worry about the exact permissions the Actor might need. However, this also means that you need to trust the Actor.
126
130
131
+
:::tip
132
+
Use this mode if you want to integrate with a 3rd-party service to run your Actors. Create a scoped token that can only run the Actor you need, and share it with the service. Even if the token is leaked, it can't be used to access your other data.
133
+
:::
134
+
135
+
#### Restricted access: Restrict what Actors can access using the scope of this Actor
136
+
137
+
When you run an Actor with a scoped token in this mode, Apify will inject a token with the same scope as the scope of the original token.
138
+
139
+
This way you can be sure that Actors won't accidentally—or intentionally—access any data they shouldn't. However, Actors might not function properly if the scope is not sufficient.
140
+
141
+
:::tip
142
+
This restriction is _transitive_, which means that if the Actor runs another Actor, its access will be restricted as well.
127
143
:::
128
144
145
+
#### Default run storages
146
+
147
+
When Apify [runs an Actor](/platform/actors/running/runs-and-builds#runs), it automatically creates a set of default storages (a dataset, a key-value store and request queue) that the Actor can use in runtime.
148
+
149
+
- Regardless of mode, the injected token always gets write access to its default storages, and to the run itself (for example, so that the Actor can abort itself). You don't need to configure this on your scoped token.
150
+
- If a scoped token can run an Actor, it gets **write access to default storages of the runs it triggered**. Moreover, it gets **read access to default storages of _all_ runs of that Actor**. If this is not desirable, change your Actor to output data into an existing named storage, or have it create a new storage.
151
+
152
+
### Schedules
153
+
154
+
You can use scoped tokens to schedule Actor and Tasks. Each schedule invocation triggers a new Actor run, creating and injecting a new run API token into the Actor.
155
+
156
+
However, **this token is always unscoped, which means that the scheduled Actor has access to all your account data**, regardless of the scope of the token that scheduled it.
157
+
129
158
### Webhoooks configuration
130
159
131
160
If you allow a token to run an Actor, it'll also be able to manage the Actor's webhooks (similarly for tasks).
0 commit comments