Authentication
PAD-as-a-Service API uses API keys to authenticate users. All API keys have the prefix pad
. Each API key identifies a role in a particular instance. There are 6 roles:
Operator
Encryptor
Decryptor
Trustee
Validator
Auditor
For example, a trustee referencing 3 different instances should have at least 3 different Trustee
API keys for each instance. He cannot access some of the endpoints disallowed for a Trustee
role (e.g. uploading an encryption).
Using an API key
API keys should be provided in the request header X-API-KEY
field. Making a request missing an API key or with an invalid API key will get a 401 Unauthorized
response.
Access control list
/PADs
POST
/all-trustees
GET
/all-trustees/:trusteeId
GET
/all-validators
GET
/all-validators/:validatorId
GET
/metadata
GET
/encryptions
POST
/encryptions
PUT
/encryptions/:tokenHash/status
GET
/encryptions/:tokenHash/ciphertext
GET
/encryptions/:tokenHash/encrypted-trustee-shares/:trusteeId
GET
/encryptions/:tokenHash/hashed-trustee-shares
GET
/encryptions/:tokenHash/encrypted-validator-shares/:validatorId
GET
/data-requests
POST
/data-requests
GET
/data-requests/:token/trustee-responses
POST
/data-requests/:token/trustee-responses
GET
/data-requests/:token/validator-responses
POST
/data-requests/:token/validator-responses
GET
/trustee-attestations/:trusteeId
PUT
/trustee-attestations/:trusteeId
GET
/digest
GET
/ledger
GET
Rate limiting
We have 2 rate limiting policies: IP + API_key
and API_key
. Both have a limit of 100 requests per minute. In the IP + API_key
policy, if an invalid API key is provided, only the IP is recorded usage of the API. Because of the API_key
policy, distinct users of the same role of an instance should use different API keys. For example, Trustee-1
and Trustee-2
who both reference the same instance could use the same API key for serving the instance properly, but this would trigger rate limiting for the API key because the trustees are sharing quotas.
https
All requests should be made with https protocol. Requests made with http protocol will get a 301 Moved Permanantly
response directed to https.
Last updated