API Tokens Scopes
We’ve added API scopes to Val Town API tokens to improve security and give you more granular control over your use of our REST API.
We have read/write scopes for:
val
– valsuser
– user account detailsblob
– blob storagesqlite
– sqlite databaseemail
– ability to send emails
The API tokens page now lets you view and configure the scope of each token.
Scoping vals
This change also lets you configure the scope of vals.
When a val runs, we inject an API token into a valtown
environment variable,
which that val uses to access Val Town Standard Library functions, such as
blob storage, sqlite, and email sending.
We are now allowing you to configure the scope of that injected valtown
API token environment variable, effectively scoping the permissions of the val,
ensuring that it only has access to the
resources that it needs.
Additionally, vals now receive short-lived API tokens when they are running, limiting the potential damage from a compromised val.
Safer Defaults
Starting today, the default scope for vals will include every scope
except val:write
and user:write
to limit potential damage from
misconfiguration, vulnerable libraries, or account compromises.
Without the ability to mutate val resources, unauthorized actors now cannot execute
new code or modify existing code in your account.
Further down the road, we’re considering even fewer default scopes, and having a slick UI to let you opt-into extra scopes at runtime when your code accesses them. Think of the way iOS apps ask for permissions when they need them.
Github Secret Scanning
We’re joining the Github Secret Scanning program, so if your API token is leaked in a public Github repository, we’ll be notified and can revoke the token.
Migrating current users
We’ve updated 99% of existing API tokens to use these safer defaults.
We identified which users are using the val:write
scope, and have held off migrating their tokens, and work with them to upgrade. If you’re one of these users,
expect an email shortly.
We’re always looking for ways to make our platform more secure. If you have security-related feedback or new feature suggestions please make yourself heard in our Discussions or reach out to security@val.town.
Edit this page