You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: sources/platform/integrations/programming/api.md
+41-6Lines changed: 41 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -113,19 +113,54 @@ Let's say that you have an Actor and you want to programmatically create schedul
113
113
114
114
:::
115
115
116
-
### Actor execution and scheduling
116
+
### Actor execution
117
117
118
-
When you run an Actor with a scoped token (or schedule one), Apify will inject a new, _unscoped_ token to the Actor. This means that **the Actor will have full access to all resources in your account**.
118
+
When you run an Actor, Apify creates a new, short-lived run API token, and injects it into the Actor environment. This applies to scoped tokens as well, so when you run an Actor with a scoped token, **the Actor is executed with a different token with a different scope.**
119
119
120
-
This way you can be sure that once you give a token the permission to run an Actor, it will just work, and you don't have to worry
121
-
about the exact permissions the Actor might need. However, this also means that you need to trust the Actor.
120
+
In the scoped token configuration you can choose what scope the run API token gets, effectively determining what the Actor can access during its run.
122
121
123
-
:::note
122
+
Apify currently supports two modes:
123
+
124
+
-**Full access**: Allow Actors to access all your account's data.
125
+
-**Restricted access**: Restrict what Actors can access using the scope of this Actor.
126
+
127
+
128
+
129
+
#### Full access: Allow Actors to access all your account's data
130
+
131
+
When you run an Actor with a scoped token in this mode, Apify will inject an _unscoped_ token to the Actor runtime.
132
+
133
+
This way you can be sure that once you give a token the permission to run an Actor, it will just work, and you don't have to worry about the exact permissions the Actor might need. However, this also means that you need to trust the Actor.
134
+
135
+
:::tip
136
+
Use this mode if you want to integrate with a 3rd-party service to run your Actors. Create a scoped token that can only run the Actor you need, and share it with the service. Even if the token is leaked, it can't be used to access your other data.
137
+
:::
138
+
139
+
#### Restricted access: Restrict what Actors can access using the scope of this Actor
124
140
125
-
This is why **we currently do not allow scoped tokens to create or modify Actors**. With those permissions it would be easy for the token to upload malicious code and gain access to your full account. If you do need to create or modify Actors via Apify API, you need to use an unscoped token.
141
+
When you run an Actor with a scoped token in this mode, Apify will inject a token with the same scope as the scope of the original token.
126
142
143
+
This way you can be sure that Actors won't accidentally—or intentionally—access any data they shouldn't. However, Actors might not function properly if the scope is not sufficient.
144
+
145
+
:::note
146
+
The injected token also gets write access to its default storages, and to the run itself (for example, so that the Actor can abort itself). You don't need to configure this on your scoped token.
147
+
:::
148
+
149
+
:::tip
150
+
This restriction is _transitive_, which means that if the Actor runs another Actor, its access will be restricted as well.
127
151
:::
128
152
153
+
#### Limitations
154
+
155
+
- If a scoped token can run an Actor, it gets **write access to default storages of the runs it triggered**. Moreover, it gets **read access to default storages of _all_ runs of that Actor**. If this is not desirable, change your Actor to output data into an existing named storage, or have it create a new storage.
156
+
-**We currently do not allow scoped tokens to create or modify Actors**. If you do need to create or modify Actors via Apify API, use an unscoped token.
157
+
158
+
### Schedules
159
+
160
+
You can use scoped tokens to schedule Actor and Tasks. Each schedule invocation triggers a new Actor run, creating and injecting a new run API token into the Actor.
161
+
162
+
However, **this token is always unscoped, which means that the scheduled Actor has access to all your account data**, regardless of the scope of the token that scheduled it.
163
+
129
164
### Webhoooks configuration
130
165
131
166
If you allow a token to run an Actor, it'll also be able to manage the Actor's webhooks (similarly for tasks).
0 commit comments