Sign inTry Free

Data API Authentication

SingleStore's Data API uses Basic and Bearer Authentication standards. You can also use JWTs for password-less access to the database with Bearer Authentication. To authenticate via JWTs, specify the JWT in the Bearer Authorization header. For successful authentication, the JWT must be signed using a key listed in the JWKS that is fetched from the jwks_endpoint in the engine. See Authenticate via JWT for more information.

To enable JWT-based authentication on SingleStore,

  • Configure the JWKS endpoint. Set the jwks_endpoint variable on the database server.

  • Make a HTTP request to the /api/v2/jwks_setup endpoint using the POST method.

A user agent can authenticate with the server by sending its credentials in an Authorization request header. The Authorization header contains the authentication method (Basic or Bearer) followed by a space and then the authentication information constructed from a Base-64 encoded string username:password|JWT.

Authorization: [Basic | Bearer] <Base-64 encoded username:password|JWT>

For example, the Basic Authorization header for the username demo and password Afu4XjzB1ns would appear as follows, where ZGVtbzpBZnU0WGp6QjFucw== is the Base-64 encoding of the demo:Afu4XjzB1ns string.

Authorization: Basic ZGVtbzpBZnU0WGp6QjFucw==

If the server requires the user agent to authenticate itself after receiving an unauthenticated request, it will respond with a 401 Unauthorized status and the WWW-Authenticate header.

Warning

As the Basic and Bearer Authentication methods transfer the username and password (or JWTs) over the network in clear text, it must be used in conjunction with HTTPS/SSL for added security. The production usage of SingleStore's Data API should only take place with SSL (HTTPS) enabled to ensure that the authentication information is secure.

Last modified: May 5, 2023

Was this article helpful?

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK