SpacetimeDB HTTP Authorization

Generating identities and tokens

SpacetimeDB can derive an identity from the sub and iss claims of any OpenID Connect compliant JSON Web Token.

Clients can request a new identity and token signed by the SpacetimeDB host via the POST /v1/identity HTTP endpoint. Such a token will not be portable to other SpacetimeDB clusters.

Alternately, a new identity and token will be generated during an anonymous connection via the WebSocket API, and passed to the client as an IdentityToken message.

`Authorization` headers

Many SpacetimeDB HTTP endpoints either require or optionally accept a token in the Authorization header. SpacetimeDB authorization headers are of the form Authorization: Bearer ${token}, where token is an OpenID Connect compliant JSON Web Token, such as the one returned from the POST /v1/identity HTTP endpoint.

Top level routes

Route	Description
`GET /v1/ping`	No-op. Used to determine whether a client can connect.

`GET /v1/ping`

Does nothing and returns no data. Clients can send requests to this endpoint to determine whether they are able to connect to SpacetimeDB.

Generating identities and tokens​

Authorization headers​

Top level routes

GET /v1/ping​

Generating identities and tokens

`Authorization` headers

`GET /v1/ping`