Authentication
dakkio uses a dual authentication system to support both web applications and IoT devices.
Authentication Methods
1. JWT Authentication (Dashboard)
Used by the web dashboard and applications that manage resources.
Use Cases:
- Managing buckets and data sources
- Configuring alert rules
- Setting up webhooks
- Viewing analytics
- User account management
How it Works:
- User logs in with email/password
- Server returns a JWT token
- Client includes token in
Authorizationheader - Token expires after 24 hours
Example:
# Login
curl -X POST https://api.dakkio.io/api/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "password123"
}'
# Use token
curl -X GET https://api.dakkio.io/api/buckets \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
2. API Key Authentication (Data Operations)
Used by IoT devices and external integrations for data operations.
Use Cases:
- Ingesting sensor data
- Querying time-series data
- Automated data imports
- Third-party integrations
How it Works:
- Generate API key via dashboard or API
- Store key securely in your application
- Include key in
X-API-Keyheader - Key remains valid until revoked
Example:
# Send data
curl -X POST https://api.dakkio.io/api/data \
-H "X-API-Key: dakkio_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6" \
-H "Content-Type: application/json" \
-d '{
"bucketId": "507f1f77bcf86cd799439011",
"dataSourceId": "507f1f77bcf86cd799439012",
"values": { "temperature": 22.5 }
}'
Which Authentication to Use?
| Task | Authentication Method |
|---|---|
| Login to dashboard | JWT |
| Create/update buckets | JWT |
| Manage data sources | JWT |
| Configure alerts | JWT |
| Setup webhooks | JWT |
| View analytics | JWT |
| Ingest sensor data | API Key |
| Query time-series data | API Key |
| Batch data import | API Key |
Best Practice
- Use JWT for admin and configuration tasks
- Use API Keys for data operations and IoT devices
Security Best Practices
JWT Tokens
✅ DO:
- Store tokens securely (HTTP-only cookies, secure storage)
- Implement token refresh logic
- Clear tokens on logout
- Use HTTPS for all requests
❌ DON'T:
- Store tokens in localStorage (XSS risk)
- Share tokens between users
- Commit tokens to version control
- Use expired tokens
API Keys
✅ DO:
- Store keys in environment variables
- Use different keys for dev/staging/production
- Rotate keys periodically
- Revoke compromised keys immediately
- Use HTTPS for all requests
❌ DON'T:
- Hardcode keys in your source code
- Commit keys to version control
- Share keys publicly
- Use the same key across multiple services
- Include keys in URLs or query parameters