alexminza
commented
1 year ago For an integration with a partner we are working on we need to allow them to call a custom API endpoint developed by us in a custom VTEX IO app.
We need to be able to secure the API endpoint and allow only specific API keys to access it. Current documentation does not describe such case and provides no examples.
https://developers.vtex.com/docs/guides/vtex-io-documentation-vrn
Looking at examples we could not make it with restricted access
- https://github.com/vtex-apps/fedex-shipping/blob/master/dotnet/service.json
- https://github.com/vtex-apps/io-documentation/blob/master/docs/en/Concepts/vrn.md
Fragment from the service.json file:
"route-name": {
"path": "/_v/route-name/:orderId",
"public": true,
"access": "authorized",
"policies": [
{
"effect": "allow",
"actions": [
"get"
],
"principals": [
"vrn:vtex.vtex-id:*:*:*:user/vtexappkey-*",
"vrn:vtex.vtex-id:*:{{account}}:*:user/vtexappkey-*"
]
}
]
},
How to use VRN to restrict access to a specific user / app key?
Reference: https://github.com/vtexdocs/dev-portal-content/blob/main/docs/vtex-io/Reference/concepts/vtex-io-documentation-vrn.md