README.md

Spice.ai API Key Authentication

Spice supports securing its HTTP, Flight/FlightSQL, and OpenTelemetry endpoints using API keys.

Enable API key authentication with:

runtime:
  auth:
    api_key:
      enabled: true
      keys:
        - ${ env:API_KEY }

Create a .env file in the same directory as spicepod.yaml to set an API key that will be pulled from the environment:

API_KEY=foobar

HTTP

1. Start Spice with spice run, then open a new terminal
2. To test without an API key, run:

curl -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1'

Expected response:

$ curl -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1'
HTTP/1.1 401 Unauthorized
content-length: 12
date: Thu, 07 Nov 2024 01:52:00 GMT

Unauthorized

1. Test with the API key:

curl -H "x-api-key: foobar" -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1'

Output:

curl -H "x-api-key: foobar" -XPOST -i http://localhost:8090/v1/sql -d 'SELECT 1'
HTTP/1.1 200 OK
content-type: text/plain; charset=utf-8
x-cache: Miss from spiceai
content-length: 16
date: Thu, 07 Nov 2024 01:53:20 GMT

[{"Int64(1)":1}]

CLI

1. Start Spice with spice run, then open a new terminal
2. Run spice pods without an API key

$ spice pods
2025/01/21 00:44:11 ERROR listing spiced pods error=Unauthorized

1. Now, run spice pods with the API key

$ spice pods --api-key foobar

VERSION NAME    DATASETSCOUNT MODELSCOUNT DEPENDENCIESCOUNT 
v1      api_key 0             0           0                 

SQL REPL

1. Start Spice with spice run, then open a new terminal
2. Open the SQL REPL with spice sql, then attempt a SQL query:

$ spice sql

sql> select 1;
Authentication Error Access denied. Invalid credentials.

1. Re-open the SQL REPL with the API key and try the query again:

$ spice sql --api-key foobar

sql> select 1;
+----------+
| Int64(1) |
+----------+
| 1        |
+----------+

Time: 0.007247375 seconds. 1 rows.