Skip to main content

Authentication Overview

In Vectara, we have robust authentication and authorization methods in place to secure your data and operations. All Vectara APIs are authenticated. Indexing and Search APIs can be authenticated via Index or Query API Keys while, Admin actions (creating/deleting corpora) must be done via Personal API Keys or OAuth 2.0.

Choosing Personal API keys, Index API Keys, Query API Keys, or OAuth 2.0

When it comes to securing your application and managing access, you have a choice between three different API Keys and OAuth. API Keys can be scoped either to be Adminstrative actions, query (read-only) or both query and index (read-and-write). Personal API Keys inherit the permissions of their associated user account. We recommend that you choose the most limited scope you can for your application: it's "cheap" to create multiple API keys, but having an accidental publication of an over-privileged API key is often organizationally "expensive."

In general, we recommend that you use OAuth 2.0 if and where possible for production applications. OAuth can ensure a higher level of security and better protect your sensitive data.

Authorization

Authorizations in Vectara include roles at the account and corpus levels. Account features also differ from roles and are generally tied to the account tier. For more details about Vectara's authorization/permissions model, see the RBAC authorization page.

Transport Layer Security (TLS)

All communication to and from the API endpoints take place using an encrypted communication channel (TLS). gRPC handles configuration of the TLS channel using channel credentials, and you should refer to their documentation.

Configure channel credentials

The following code snippets show how to configure channel credentials using the default set of root certificates installed on your system, which is usually sufficient.

NettyChannelBuilder
.forAddress("serving.vectara.io", 443)
.sslContext(GrpcSslContexts.forClient()
.trustManager(null) // load root certificates from the default location
.build())
.build();