📁 API Resource
What is an API resource?
API resources, a.k.a. Resource Indicators, indicate the target services or resources to be requested, usually, a URI format variable representing the resource's identity.
Why is API resource needed?
Logto, as an authorization server, is designed to serve a large number of services and APIs. By indicating which API resource an end-user intends to access, Logto can issue a private encrypted authorization token and apply audience restrictions accordingly.
A guarded request with an authorization token provided will help you protect your private resources from being accessed and attacked by anonymous identities.
- A resource value indicates the target service or resource to which access is being requested.
- Its value MUST be an absolute URI.
- The URI MUST NOT include a fragment component.
- It SHOULD NOT include a query component.
- You SHOULD provide the most specific URI it can for the complete API or set of resources it intends to access.
In practice, a client may know a base URI or the application or resource to interact with. It would be appropriate to use it as the value of the resource parameter.
E.g., Logto management API base URI.
By default, this API resource is pre-registered to your Logto service. All the management APIs under this URI are protected by Logto.
Logto API Resource Schema
|Property Name||Property Description||Required|
|API Name||A user friendly name that can help you to identify the API resource.||true|
|API Identifier||The unique API Resource Indicator value, with restrictions listed above.|
Logto will use it to identify the requested API resource and grant the authorization tokens accordingly.
|Token expiration time (in seconds)||The expiration time set for access_token. The default expiration value is 3600.||false|
Requests with a expired access_token should be restricted. This is implemented to protect your API from a abused token. The larger value is set, the longer will a issued access_token survive, and the more vulnerable your API will be.
Permissions and RBAC
See 🔐 RBAC for details.
How does it work
1. Authorization request
Provide a list of resource indicator parameters in an authorization request. It will indicate all the protected resource(s) that the user may request.
Logto will validate and store these resource indicators. An
authorization_code will be granted and returned with scopes restricted to these specified resources.
2. Access Token request
When the resource parameter is present on an access token request along with the
authorization_code granted above, it will specify the target API resource audience of the access token is requested.
POST http://localhost:3001/oidc/token HTTP/1.1
An encrypted access token with the audience restricted to this requested resource will be granted by Logto. The token carries all the data you will need to represent the authorization status of the request. E.g., the request user's identity and role, the token's audience and expiration time.
3. API Resource request
The client user sent a request to the API resource by presenting the given
access_token in the Authorization header.
Authorization: Bearer eyJhbGciOiJIUz...
Please follow our ⚔️ Protect Your API guide to implement the token validation on your server-side APIs and make your resources well protected.
Logto follows the standard token-based authorization protocol to protect your API resources. To learn more about OAuth 2.0, please refer to OAuth 2.0's official document.