Use JWTs for API private key #1089
Replies: 2 comments 1 reply
-
Thanks, this is super helpful (especially the snippet)! currently db access is necessary to verify api keys, switching to JWT would improve the project's ddos protection a lot indeed |
Beta Was this translation helpful? Give feedback.
-
On second thought, make the private key a JWT instead of the public key. You'd still be able to validate it the same at the edge with basic auth. Having the public being longer than the private key is likely going to confuse some new users. I would say make both a JWT.. but then you will confuse users about which is which (as they both look like similarly random strings). |
Beta Was this translation helpful? Give feedback.
-
Describe the feature or potential improvement
While thankfully Langfuse isn't being DDoS yet, it wouldn't be a bad idea to proactively use JWTs for the private key / "password" part of the API authentication.
This would allow adding stateless token verification at the edge (with a Cloudflare Worker or Lambda@Edge) in the future, before doing an "expensive" call to the Langfuse database.
Copied some starter code/notes for you from one of our internal projects. =)
Additional information
No response
Contribute
Beta Was this translation helpful? Give feedback.
All reactions