SpacetimeDB HTTP Authorization
Rather than a password, each Spacetime identity is associated with a private token. These tokens are generated by SpacetimeDB when the corresponding identity is created, and cannot be changed.
Note
Do not share your SpacetimeDB token with anyone, ever.
Generating identities and tokens
Clients can request a new identity and token via the /identity POST HTTP endpoint.
Alternately, a new identity and token will be generated during an anonymous connection via the WebSocket API, and passed to the client as an IdentityToken message.
Encoding Authorization headers
Many SpacetimeDB HTTP endpoints either require or optionally accept a token in the Authorization header. SpacetimeDB authorization headers use Basic authorization with the username token and the token as the password. Because Spacetime tokens are not passwords, and SpacetimeDB Cloud uses TLS, usual security concerns about HTTP Basic authorization do not apply.
To construct an appropriate Authorization header value for a token:
- Prepend the string token:.
- Base64-encode.
- Prepend the string Basic .
Rust
fn auth_header_value(token: &str) -> String {
let username_and_password = format!("token:{}", token);
let base64_encoded = base64::prelude::BASE64_STANDARD.encode(username_and_password);
format!("Basic {}", encoded)
} C#
public string AuthHeaderValue(string token)
{
var username_and_password = Encoding.UTF8.GetBytes($"token:{auth}");
var base64_encoded = Convert.ToBase64String(username_and_password);
return "Basic " + base64_encoded;
}