Deploy Blnk
Local install or Blnk Cloud.
Enable authentication
Enable secure mode by settingserver.secure to true and providing a strong server.secret_key:
X-Blnk-Key header. Requests without a key are rejected.
The secret_key value becomes your master key. It has full access to every endpoint on the server, so use it only for administrative tasks and initial setup. For regular service traffic, create scoped API keys.
Pass the master key in the X-Blnk-Key header:
cURL
About the master key
The master key is thesecret_key from your configuration. Unlike scoped API keys, it is not bound to an owner or scopes, and it can call any endpoint on the server. Blnk also uses it to sign outbound webhook and transaction hook deliveries.
We recommend using the master key only for initial setup and administrative tasks listed below. For regular API calls, use the scoped keys you create.
-
Create scoped keys. Create your first scoped keys with
POST /api-keys. After that, services should use scoped keys, not the master key. -
Manage keys across owners. List, create, and revoke keys for any owner by passing
ownerin the request. Scoped keys can manage keys only within their ownowner_id. See Owner context. -
Manage hooks. Register, update, list, and delete transaction hooks. Hook management rejects scoped keys, even with
hooks:*scopes. -
Verify webhooks. Blnk signs outbound deliveries with
X-Blnk-Signatureusingserver.secret_key. Use the same secret on your receiver to verify authenticity. See Webhook security.
Security check list
Enabling secure mode is only the start. Work through this checklist to protect your master key, keep configuration out of version control, and limit API access to what each service needs.1
Master key management
- Use a strong, randomly generated master key
- Never share or commit it to version control
- Store it in environment variables or a secret management tool
- Rotate it on a regular schedule
2
Configuration management
- Exclude
blnk.jsonfrom version control (.gitignore) - Store sensitive configuration in environment variables
- Implement secure secret rotation procedures
3
Access control
- Follow the principle of least privilege: use scoped keys for services, not the master key
- Regularly review API key permissions. See Manage API keys
- Register and manage transaction hooks with the master key only
4
Monitoring and auditing
- Track failed authentication attempts
- Monitor API key usage patterns
- Set up alerts for suspicious activity
- Regularly review access logs
5
Regular updates
- Keep all components up to date
- Monitor security advisories
- Schedule regular maintenance windows
Error handling
Structured errors are available from Blnk Core 0.15.0 and later.
401 Unauthorized. These errors apply whether you use the master key or a scoped key.
401 Unauthorized
Permission errors for missing scopes are covered in Scopes. Owner and delegation errors are covered in Owner context.