Better api useage for developers

[mrafieefard]

If you can add a page that we be able to create api key it would be great login into user every time its awkward and also I don't want to make api key expire to infinity for security reason

[M03ED]

what's different between having lifetime api key and lifetime token ?
api key can't do anything more that token and there both are vulnerable

[mrafieefard]

what's different between having lifetime api key and lifetime token ? api key can't do anything more that token and there both are vulnerable

This is question is like why openai or big companies make apikeys and why they don't just create life time token for users and users use it

1. Having a api key option make permission system possible
2. Api keys are in safe place otherwise life time token save in local user storage ( cookies ) and stealers can access to it

Also its not clever way if you use user token for a production app

Solution:

Create a cli command like token, apikey or etc and when it trigger it gives a random generated token that store it in database
Also you can create a new bearer but also this is not recommended way because apikeys usually are short character string

[M03ED]

services they provide api key give different access level to users with there key, we don't have such a thing in marzban
for example for openai it give's unlimited access to models to user but it cost them per request
about security, you should store store api key when ever you want to use it (in a bot or any service) same place you store jwt token so if token can be leaked, api key can be leaked too

[mrafieefard]

services they provide api key give different access level to users with there key, we don't have such a thing in marzban for example for openai it give's unlimited access to models to user but it cost them per request about security, you should store store api key when ever you want to use it (in a bot or any service) same place you store jwt token so if token can be leaked, api key can be leaked too

You kinda right about first part but jwt tokens are save in browsers cookie and having a no expire jwt token means if someone some how get access to your browser he can login in panel forever so the difference between jwt and apikey is here JWTs are for saving user credentials and apikeys for using in production services

Before I enable unlimited token expire I use to use marzpy and login everytime for every request and that cause a corrupted database and the whole day I'm was trying to restore my backup
I don't want this happens again

As I said the solution too easy just create a new table on SQLalchamy then create insert, delete and update function and link it to cli

Unfortunately I don't have time to do this task unless I do this by my own hope you or someone else do this and it would be create

[M03ED]

You kinda right about first part but jwt tokens are save in browsers cookie and having a no expire jwt token means if someone some how get access to your browser he can login in panel forever so the difference between jwt and apikey is here JWTs are for saving user credentials and apikeys for using in production services

Before I enable unlimited token expire I use to use marzpy and login everytime for every request and that cause a corrupted database and the whole day I'm was trying to restore my backup I don't want this happens again

As I said the solution too easy just create a new table on SQLalchamy then create insert, delete and update function and link it to cli

Unfortunately I don't have time to do this task unless I do this by my own hope you or someone else do this and it would be create

first of all you don't need to login for every login , you can login when ever last token expired (default its 24h)
for second one you can disable old tokens with changing your password

[mrafieefard]

You kinda right about first part but jwt tokens are save in browsers cookie and having a no expire jwt token means if someone some how get access to your browser he can login in panel forever so the difference between jwt and apikey is here JWTs are for saving user credentials and apikeys for using in production services
Before I enable unlimited token expire I use to use marzpy and login everytime for every request and that cause a corrupted database and the whole day I'm was trying to restore my backup I don't want this happens again
As I said the solution too easy just create a new table on SQLalchamy then create insert, delete and update function and link it to cli
Unfortunately I don't have time to do this task unless I do this by my own hope you or someone else do this and it would be create

first of all you don't need to login for every login , you can login when ever last token expired (default its 24h) for second one you can disable old tokens with changing your password

So this isn't casual as a production to handle logins and tokens