Version: 2.0.0

Authorization

Generating identities and tokens

SpacetimeDB can derive an identity from the sub and iss claims of any OpenID Connect compliant JSON Web Token.

Clients can request a new identity and token signed by the SpacetimeDB host via the POST /v1/identity HTTP endpoint. Such a token will not be portable to other SpacetimeDB clusters.

Alternately, a new identity and token will be generated during an anonymous connection via the WebSocket API, and passed to the client as an IdentityToken message.

`Authorization` headers

Many SpacetimeDB HTTP endpoints either require or optionally accept a token in the Authorization header. SpacetimeDB authorization headers are of the form Authorization: Bearer ${token}, where token is an OpenID Connect compliant JSON Web Token, such as the one returned from the POST /v1/identity HTTP endpoint.

All /v1/database endpoints support anonymous access. If no Authorization header is provided, SpacetimeDB will allocate a new anonymous identity for the request. Anonymous requests can access public information (database info, schemas, names) and can call reducers or run SQL queries, but will only have access to public tables and will be rejected when attempting privileged operations like deleting a database or viewing logs.

Top level routes

Route	Description
`GET /v1/ping`	No-op. Used to determine whether a client can connect.

`GET /v1/ping`

Does nothing and returns no data. Clients can send requests to this endpoint to determine whether they are able to connect to SpacetimeDB.

Generating identities and tokens​

Authorization headers​

Top level routes

GET /v1/ping​

Generating identities and tokens

`Authorization` headers

`GET /v1/ping`