App security
There are several layers of security controls in Altogic to protect your applications from malicious users or attackers.
- API keys: API keys are unique codes used to authenticate requesting parties' access to your application's services through endpoints. API keys are only valid in the environment in which they were created and you can create full access, read-only, custom allowed endpoints, or custom excluded endpoints access keys with or without a set expiration date.
- Client library keys: Altogic has the client API which significantly speeds up integaration of your frontend apps with your Altogic backend. In order to use the Altogic's client API you need to create a client key which specifies the access rights and authorized domains. Using client keys you can manage (allow or restrict) client API access to the modules of your backend app and only allow client requests that are originated from a list of predefined domains.
- Session tokens: A session facilitates secure interactions between a user and an application and applies to requests and responses associated with that particular user. Session tokens serve to identify a user’s session for the RESTful API requests.
- Role based access controls: Access groups (e.g., user roles) are used to authorize specific endpoints of your application. When you create an endpoint, you can specify the list of access groups that are allowed to access the service exposed by the endpoint. To use access groups, sessions need to be enabled for the endpoints in consideration, and when creating the user session, the access group key needs to be provided.
- Rate limiting: Rate limiting puts a cap on how often someone can call an endpoint or client library method of your app within a certain timeframe – for instance, trying to log in to an account. By rate limiting, you can help stop certain kinds of malicious bot activity. You can define default rate limits for endpoints and realtime messaging separately at application level. If needed you can also override the default app level rate limits for each endopoint and client key.
- Authorized domains: An API key or client key can be called from all domains or only from "Authorized Domains". Altogic allows consumers of your application services (e.g., frontend app, other backend apps) to use "Authorized Domains". In such a case, your application endpoints must be called from Authorized Domains, otherwise, Altogic raises an error.
- Object level security: Object security rules define the conditions to allow or restrict certain operations on your app data. When the security rule expression evaluates to true or if the expression is left empty, then the requested action on the your app data object will be allowed. In Altogic, you can define object level security rules for all your permament models, cloud storage buckets and files and your app's cache keys.