Client Keys

Client keys are provisioned clients that are allowed to either ingest, or retrieve data. A client key can be provisioned to do both, but this is generally not the preferred situation. Client keys are composed of a name, an opaque token, and a series of grants to Data Pools and/or Data Views.

Authorizing a key to ingest data

In order to ingest data into a Data Pool, a client key must be used. Once a key it can be authorized to ingest a specific Data Pool by using the Grant Data Pool button. Grants allow keys to be authorized by specific Data Pool.

Field injections

When a Client Key has been granted authorization to a Data Pool, injections can be defined. An injection will set a field's value when the Client Key is used to ingest a record. This can be used to enforce fields for a given key, that can later be used to perform row level authorization.

To define an injection for a Client Key, navigate to the Client Keys detail page. Data Pool grants will appear in the Granted Data Pools table. Click the ellipsis menu for the given grant and select New Injection from the menu.

Authorizing a key to egress data

In order to utilizing the egress endpoint created for a Data View, a Client Key must be provided. This key must be granted permission to the Data View in question. To authorize a key to have access to a Data View, click Grant Data View from the Client Key's detail page.

Field constraints

Constraints allow a Client Key to be limited in what data it can retrieve from a Data View. At a basic level these are arbitrary conditions against the data set. Constraints allow for row level authorization.

To create a constraint, navigate to the Client Token's detail page. Click the ellipsis menu for the grant in question and select New Constraint. The field for the constraint can be selected from fields available to the View, or from fields in the underlying Data Pool; even if they were not provided to the view.