Using API Token to create Signing Key possible?

I’m aware of the security concerns with using the old API Key, as opposed to a newer API Token. I’ve been building my site functionality around using the API Token for this reason, not wanting to store the API Key to reduce security risk.

However, it would seem Creating a Signing Key only works with an API Key. I was hoping someone here might be able to confirm this please. I have (temporarily) given my API Token almost every permission in an attempt to rule a permissions issue out.

This API Key method I’m wanting to avoid, works as per documentation (return a signing key):

curl -X POST "https://api.cloudflare.com/client/v4/accounts/{ACCOUNT ID}/stream/keys" -H "X-Auth-Email: {ACCOUNT NAME}" -H "X-Auth-Key: {API KEY}" -H "Content-Type: application/json"

These are my attempts at using the API Token:

1. Zone API with X-Auth-Key method:

curl -X POST "https://api.cloudflare.com/client/v4/zones/{ZONE ID}/stream/keys" -H "X-Auth-Email: {ACCOUNT NAME}" -H "X-Auth-Key: {API TOKEN}" -H "Content-Type: application/json"
{"success":false,"errors":[{"code":10000,"message":"Authentication error"}]}

2. Zone API with Authorization Bearer method: (at least this one was clear about it not being supported)

curl -X POST "https://api.cloudflare.com/client/v4/zones/{ZONE ID}/stream/keys" -H "Authorization: Bearer {API TOKEN}" -H "Content-Type: application/json"
{"success":false,"errors":[{"code":10000,"message":"API Tokens are not supported by this API for now"}]}

3. Accounts API with X-Auth-Key method:

curl -X POST "https://api.cloudflare.com/client/v4/accounts/{ACCOUNT ID}/stream/keys" -H "X-Auth-Email: {ACCOUNT NAME}" -H "X-Auth-Key: {API TOKEN}" -H "Content-Type: application/json"
{"success":false,"errors":[{"code":10000,"message":"Authentication error"}]}

4. Accounts API with Authorization Bearer method:

curl -X POST "https://api.cloudflare.com/client/v4/accounts/{ACCOUNT ID}/stream/keys" -H "Authorization: Bearer {API TOKEN}" -H "Content-Type: application/json"
{"success":false,"errors":[{"code":10000,"message":"Authentication error"}]}

Hey! Have you verified using your API Token with other resources, for example watermarks or videos (or something outside of Stream)? I just tried making the same request as you with my API token and I was able to get a key back.

1 Like

That’s promising if it works for you @renan, thank you for trying that. Would you be able to share the curl command you used for this please?

I’m able to use my API Token with GET requests. For example, the exact same curl request turned into a GET request, works (lists all signing keys):

curl -X GET "https://api.cloudflare.com/client/v4/accounts/{ACCOUNT ID}/stream/keys" -H "Authorization: Bearer {API TOKEN}" -H "Content-Type: application/json"

Making no other changes except changing GET to POST, I receive the Authentication error.

I’m able to make other GET requests using the token too, but so far have had no success with any other POST requests, such as upload video from URL and create DNS record for zone.

I created a new token and using that I’m now successfully fetching a signing key.

I’m not sure if it’s because it’s a new token, or because I gave it ALL the permissions (despite the one I was previously using having nearly all the permissions as it was). I’ll now prune those permissions and see what happens.

I’ve located the issue and it was an incorrectly set permission on my part.

My Stream permission was set to Read, not Edit :confounded:

I will report this internally so we can improve the errors. The returning Authentication error wasn’t super useful for debugging!

1 Like

Thanks @renan, I appreciate that.

This is my first foray into the Cloudflare API and whilst I’ve been enjoying it, it seems there are some small, but important gaps in the documentation. A work in progress perhaps, which I can relate to, but it has made for a lot of trial and error based development.

Some examples:

Error codes vs messages:
Error code 10000, which I was receiving as “Authentication error”, according to the Stream Videos section of the docs is actually “Internal Server Error”. The problem here is it’s difficult to pinpoint the issue as being me or Cloudflare because the code suggests one thing, and the message suggests another.
Error code 10001 would be more consistent, with “Authentication failure”, but is still ambiguous as to the nature of the failure.

Permissions needed:
I’m not aware of any documentation that explains what API Token permissions are actually needed to create a signing key. Many other API features state permission needed: ..., but not signing keys. The natural assumption (but incorrect) was that it requires no special permissions, hence why my Stream permission was set to Read.

Keys vs Tokens:
Perhaps still on the to-do list given that API Tokens are still a relatively new feature. The documentation typically only provides examples for the API Key method of API access. Understandably having examples of both could get a little redundant because one can generally figure out the API Token method from the API Key example. But what might be good, is an indication that the particular API feature supports API Token based authentication, if it can’t be assumed all API features support it.

Anyway, just thoughts. I’m very glad it’s working now and I’m excited to be making breakthroughs with it. Thanks again @renan.

I came here looking for answers on which api permissions are required for using the direct upload api:

POST accounts/:account_identifier/stream/direct_upload

I can confirm that it only works when using the global api key :man_facepalming:t2: