Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 30 additions & 3 deletions docs/HyperIndex/Hosted_Service/hosted-service-features.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,17 +40,44 @@ The `name` tag has special behavior—when set, its value is displayed directly
- Filter and locate deployments more efficiently


## IP Whitelisting
## Security

*Availability: Paid plans only*

Control access to your indexer by restricting requests to specific IP addresses. This security feature helps protect your data and ensures only authorized clients can query your indexer.
Control who can query your hosted GraphQL endpoint. Envio Cloud offers two complementary methods to restrict access to your indexer: **IP Whitelisting** and **API Key Authentication**. Use either independently or combine both for layered protection.

Security is configured **per indexer (project)**, not per deployment. This means your access rules carry over automatically when you promote a new version to production—no reconfiguration needed.

### IP Whitelisting

Restrict requests to specific IP addresses. Only clients connecting from an approved IP can query your indexer.

**Benefits:**
- Enhanced security for sensitive data
- Prevent unauthorized access
- Control API usage from specific sources
- Ideal for production environments with strict access requirements
- Ideal for production environments with strict access requirements, such as server-to-server backends with stable IP addresses

### API Key Authentication

Protect your endpoint with an API key—a secret token that clients include with each request to prove they're authorized. This is the recommended option for browser-based dApps and frontends, where users connect from unpredictable IP addresses that can't be allow-listed.

**How it works:**
- Each indexer (project) gets a **unique API key**, automatically generated and securely stored
- Retrieve your API key from the deployment dashboard
- Include it with every request using the `Authorization` header as a Bearer token:

```bash
curl https://<your-endpoint>/v1/graphql \
-H "Authorization: Bearer <your-api-key>"
```

Requests without a valid key are rejected with a `401 Unauthorized` response.

**Benefits:**
- Works for browser-based apps and frontends with no fixed IP address
- The same key persists across deployment promotions
- Both your production endpoint and per-deployment URLs are gated by the same policy—no way to bypass authentication
Comment on lines +63 to +80

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don’t recommend a shared API key for browser clients.

The “recommended option for browser-based dApps and frontends” wording is unsafe: if this bearer token is embedded client-side, any user can extract and reuse it. Please reframe this as a server-side/proxy flow or explicitly state that the key must never be exposed in the browser.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/HyperIndex/Hosted_Service/hosted-service-features.md` around lines 63 -
80, The doc currently recommends using a shared API key for "browser-based dApps
and frontends" which is unsafe; update the text around the "recommended option
for browser-based dApps and frontends" and the Authorization/Bearer example to
explicitly prohibit embedding the API key in client-side code and instead
recommend a server-side/proxy flow (or short-lived per-user tokens) that injects
the Bearer token on behalf of clients; keep the curl example as a server-side
usage example and add a short note: "Do not expose this key in browser code —
use a trusted backend or proxy to attach Authorization headers."



## Effect API Cache
Expand Down
34 changes: 31 additions & 3 deletions docs/HyperIndexV2/Hosted_Service/hosted-service-features.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,17 +40,45 @@ The `name` tag has special behavior—when set, its value is displayed directly
- Filter and locate deployments more efficiently


## IP Whitelisting
## Security

*Availability: Paid plans only*

Control access to your indexer by restricting requests to specific IP addresses. This security feature helps protect your data and ensures only authorized clients can query your indexer.
Control who can query your hosted GraphQL endpoint. Envio Cloud offers two complementary methods to restrict access to your indexer: **IP Whitelisting** and **API Key Authentication**. Use either independently or combine both for layered protection.

Security is configured **per indexer (project)**, not per deployment. This means your access rules carry over automatically when you promote a new version to production—no reconfiguration needed.

### IP Whitelisting

Restrict requests to specific IP addresses. Only clients connecting from an approved IP can query your indexer.

**Benefits:**
- Enhanced security for sensitive data
- Prevent unauthorized access
- Control API usage from specific sources
- Ideal for production environments with strict access requirements
- Ideal for production environments with strict access requirements, such as server-to-server backends with stable IP addresses

### API Key Authentication

Protect your endpoint with an API key—a secret token that clients include with each request to prove they're authorized. This is the recommended option for browser-based dApps and frontends, where users connect from unpredictable IP addresses that can't be allow-listed.

**How it works:**
- Each indexer (project) gets a **unique API key**, automatically generated and securely stored
- Retrieve your API key from the deployment dashboard
- Include it with every request using the `Authorization` header as a Bearer token:

```bash
curl https://<your-endpoint>/v1/graphql \
-H "Authorization: Bearer <your-api-key>"
```

Requests without a valid key are rejected with a `401 Unauthorized` response.

**Benefits:**
- Works for browser-based apps and frontends with no fixed IP address
- The same key persists across deployment promotions
- Both your production endpoint and per-deployment URLs are gated by the same policy—no way to bypass authentication
- Negligible added latency, validated in-process on every request


## Effect API Cache
Expand Down