Welcome
Getting Started
How to Guides
Application vs Blocklet
Create Blocklet
Compose Blocklets
Develop Blocklet
User and Passport
Communicate with DID Wallet
Blocklet Storage
Using Blocklet Preferences
Using Blocklet Logger
Add PWA Integration to Blocklet
Build blocklet for profit [deprecated]
Bundle your blocklet
Manage Blocklet Versions
Publish your blocklet to the world
Deploy your blocklet
Read/Write blockchain in blocklet
Operation your blocklet
Reference Guides
DID Connect
blocklet.yml
blocklet.js
Blocklet SDK (Node.js)
Blocklet SDK (Browser)
Blocklet Service
Blocklet CLI
Blocklet Server CLI
Blocklet UI
Blocklet GitHub Actions
Blocklet Studio
Blocklet Manager
Security
Performance
Developer Best Practices.
Known Issues or Limitations
Setup Blocklet Server
WebHooks
OAuth Server
Access Key
MCP Servers
Conceptual Guides
Frequently Asked Questions
Access Key
What Are Access Keys?#
Access Key is a permanent credential provided by the Blocklet platform, composed of an AccessKey ID and AccessKey Secret key pair. This key pair is used to authenticate and authorize your requests, enabling you to access and interact with Blocklet data.
Access Key Structure and Purpose:
- AccessKey ID: A unique string that identifies the user. It tells the Blocklet platform which user made the request.
- AccessKey Secret: This is the secret key used to verify ownership of this AccessKey ID. It is a highly confidential string used to generate cryptographic signatures for your requests, confirming your identity as the AccessKey ID holder.
Note: Access Keys are not used for logging into the console. They are specifically designed for programmatic access to Blocklet data, such as via development tools like APIs, command-line interfaces (CLIs), and software development kits (SDKs). When you make a request using these tools, the request includes the Access Key ID and Secret, which are used to generate a signature that encrypts the request content. This signature is then used for authentication and to verify the request's legitimacy.
Access Key Best Practices#
Access keys offer powerful programmatic access, but their compromise or misuse can seriously threaten all Blocklet resources associated with your account. Adhering to the following best practices is essential for maintaining a secure Blocklet environment:
- Minimize the creation of permanent access keys: Avoid creating perpetually valid access keys. Instead, set expiration dates for access keys to mitigate the potential damage from compromised credentials.
- Safeguard Your Credentials: Treat your AccessKey ID and AccessKey Secret as highly confidential passwords. Never share them with others or store them in public documents, unprotected version control systems, or any insecure files.
- Avoid Hardcoding: Never embed Access Key information directly into your code. This practice is extremely risky; if the code is accessed or shared, the keys will be exposed. Always use secure credential management methods, such as environment variables, key management services, or configuration files stored outside of public code repositories.
- Delete Unused Access Keys Promptly: When an access key is no longer needed,delete it immediately. Unused keys represent a potential security risk.
- Regularly Rotate Access Keys: Implement a policy of regularly rotating access keys. This involves generating new keys and deactivating old ones. Regular rotation minimizes the impact of a compromised key by limiting its validity period.
- Grant Least Privilege: Always adhere to the principle of least privilege, granting each Access Key only the minimum necessary permissions to perform its designated tasks. Avoid granting broad permissions such as "administrator" or "full access" unless absolutely required. Fine-grained permission control minimizes potential damage should a key be compromised.
Create an Access Key#
- Access the Admin Console: First, log in to your Blocklet Admin Console as a user administrator.
- Navigate to integration settings: Open the dashboard, then select
integrationsand clickaccess keys. - To create a key: Click the "Create access-key" button.
- Access Key Name: A descriptive name that helps you identify this key's purpose (e.g., "CI/CD Deployment Key," "Data Analysis Service Key").
- Access Key Permissions: Critically, grant only the minimum necessary permissions required for the key's intended use. This adheres to the principle of least privilege.
- Access Key Types: Blocklets offer two levels of access key security:
- Signature Security: Employs enterprise-grade security standards and encryption technologies. Integration with the Blocklet SDK (
@abtnode/client) is required, making it ideal for scenarios demanding high security and involving the transfer of sensitive data. - Simple Security: This lightweight token mechanism, similar to an OpenAPI Key, supports RESTful API calls and third-party service integrations. Integration is quick and code-free via HTTP headers, making it ideal for rapid development and prototyping.
- Signature Security: Employs enterprise-grade security standards and encryption technologies. Integration with the Blocklet SDK (
- Access Key Expiration Date: While Access Keys can be set to "permanent" by default, we strongly recommend setting a specific expiration date for enhanced security.
Working with Access Keys#
How you use an Access Key depends on the type you select:
1. Signature Access Key (for SDK integration)#
High-security access keys are generally used in conjunction with the Blocklet SDK to provide robust encryption and authentication.
const Client = require('@abtnode/client');
const client = new Client(fullEndpoint);
client.setAuthAccessKey({
accessKeyId: "z1nDbbdm5egHTJz3KZkaairGt6izf9eMoZV",
accessKeySecret: "z66V1N8fmn7WtvuHg1PSZWfTshi1pxexGPBfrTDTGLJZ34jkVaTM3yyMcxSAfDhoLPG62TzzBjWdPDig9kCcDm2ZD",
});
const result = await client.getBlocklet( { input: { did: rootDid, attachRuntimeInfo: false } }, { headers: { 'x-access-blocklet': rootDid } }You can also deploy Blocklets to a specific application using this method.
blocklet deploy --endpoint https://bbqavvuuki6llb76sxmf5ukteogoeyx42bwhzl46s7i.did.abtnet.io --access-key z1nDbbdm5egHTJz3KZkaairGt6izf9eMoZV --access-secret z66V1N8fmn7WtvuHg1PSZWfTshi1pxexGPBfrTDTGLJZ34jkVaTM3yyMcxSAfDhoLPG62TzzBjWdPDig9kCcDm2ZD {blockletPath}/.blocklet/bundle;2. Simple Access Key (RESTful API Calls)#
A General Access Key functions similarly to a traditional API key and is well-suited for quick integration with RESTful APIs.
curl -H "Authorization: Bearer blocklet-z1ohw91Z6SzKcC2Hs7CwhV2ubCRMoN4zdhhM8NszuDj6" "https://bbqavvuuki6llb76sxmf5ukteogoeyx42bwhzl46s7i.did.abtnet.io/.well-known/service/api/did/session"