I'm using the express-stormpath package with a new application I've created in my account at Stormpath.com.
I use stormpath in my app I have to provide an application HREF provided in the application page in the stormpath admin, I also have to provide a API Key and Secret.
I've been creating a new API key/secret for every app I've made on the one admin tenant assigned to the account, the one I signed up with.
And I use that API key/secret to authorize my express application with Stormpath.
So in my admin account I have a long list of API Keys and I have no idea which key is for which app.
Is this how I should be doing it?
It just feels very messy. I see that normal application users can be given API keys/secrets, what are these for? Can I create an admin users for each app and use their API keys and secrets without making them a stormpath administrator?
Does that make sense? I've tried emailing the support directly.. but they didn't really understand any of this. :/
First of all, this is a great question, so I’m not sure why you’re being down voted. API keys can be a confusing topic. I’ll try to clear up the mystery around them before answering your specific questions.
In Stormpath, there’s two types of API keys: Tenant API keys, and Account API keys. Tenant API keys are what you need in order to make API calls to Stormpath. They identify you as an administrator of your Stormpath Tenant, and give you full read/write access to all of your Tenant’s data (in other words, anything and everything you’ve stored in Stormpath). By definition, an administrator has access to the Stormpath API and the Admin Console (aka the webpage you see when you log into Stormpath).
There’s also the notion of Account API keys. Accounts are people (or devices) that are signing up to use your web app, mobile app, or API service. In Stormpath, Accounts are stored in Directories, which in turn are stored in Applications. You can read all about this here. I like to think of Account API keys as a more secure version of a username and password. They’re really useful if you’re building out your own API service and want users to authenticate before they start making requests to your API.
That’s really all there is to it. API keys authenticate you — nothing more, nothing less. There’s tons of articles out there debating whether or not API keys are more secure than other methods, so you’re free to check those out. But in Stormpath, in order to communicate with our API, you must identify yourself as a Stormpath Tenant administrator. As you build out your own web app, mobile app, or API service, you can choose how you want your users to interact with your services.
I hope this helps clear things up.
If you want to create any other type of roles/permissions for your users, you’ll need to learn about authorization and how it works in Stormpath. I won’t elaborate on that here, but you can read all about it in our docs.