Contents x
Application Keys
    • Print
    • Dark
      Light
    Contents

    Application Keys

      • Print
      • Dark
        Light
      Article summary

      Application keys (app keys) control access to your Backblaze B2 Cloud Storage account.

      Standard Application Keys

      You can create standard app keys that have access to all buckets in an account or just a single bucket. To restrict access to a specific group of buckets within an account, you can create a Multi-Bucket Application Key.

      Standard app keys have limited capabilities, can support a specific file prefix, and can expire. In addition to limiting access, standard app keys continue to work even when the master app key is changed. You can also delete a standard app key to remove access without disrupting other users. 

      If you use a Backblaze B2 integration partner, confirm that their app supports app keys.

      For information about Backblaze B2 scalable app keys, see Scalable Application Keys for Enhanced Security and Performance.

      Master Application Keys

      The master app key is the first key that you have access to and provides complete access to your account. This key has all capabilities, access to all buckets, and has no file prefix restrictions or expiration. Your master app key is shown only when you generate it, and it is not shown again. You should save your master app key in a secure location if you plan to use it more than once. Your master app key becomes invalid if you generate a new one. After you sign in to your Backblaze account, you can find the master app key ID for your account on the App Keys page.

      When to Use Standard and Master Application Keys

      Because a master application key grants broad access privileges, you should use it only in situations where that level of access is necessary. Otherwise, it is safer to use a standard application key that is limited to the level of access that a user needs. The following use cases demonstrate when to use a standard app key versus a master application key:

      Use a standard application key for the following cases:

      • You are using the S3-Compatible API.
      • You have a bucket that is dedicated to media distribution, and you want an app key with read-only access.
      • You are running an application that requires access to specific data that is stored in specific buckets.
      • You made a web application that lets users upload files to a designated bucket.
      • You are integrating with third-party applications, such as Cyberduck or LucidLink.

      Use a master application key for the following cases:

      • You are using the Partner API.
      • You are running an account-level application that administers groups or buckets.

      Creating and Using App Keys

      You can create an app key using the Backblaze web console, or you can use the b2_create_key operation in the Native API. You can limit app keys to a single bucket or group of buckets, or even to specific files within a bucket, by creating a Multi-Bucket Application Key.

      You can create multiple app keys. For example, if you create a cell phone app, you can create an app key for each of your customers. The limit is currently 100 million app keys per account, but contact the Backblaze sales team if you need more.

      The following table includes each app key setting and their corresponding functions.

      Web UI SettingAPI ValueFunction
      Name of keykeyNameThis value is the alias for your app key. It is used only for user identification in the Backblaze web console.

      There is no requirement for the key name to be unique. Key names are limited to 100 characters and can contain letters, numbers, and "-", but not I18N characters, such as é, à, and ü.
      Allow access to bucketsbucketIdsIf set to All in the Web UI, this setting allows access to all buckets.
      If set to a bucketName, this setting allows access only to that bucket.
      Type of accesscapabilitiesThis value specifies the type of access: 
      • Read and Write
      • Read Only
      • Write Only
      Allow list all bucket nameslistAllBucketNamesThis setting allows or disallows the listing of all bucket names that include bucket creation dates.
      This is selectable only when the bucket access is limited to a single bucket.
      This setting is required for the S3 List Buckets API operation.
      File name prefixnamePrefixThis setting limits access to file names that begin with a specific prefix.
      Duration (seconds)validDurationSecondsThis setting allows you to limit the time before authorization expires. This is a positive integer less than 1000 days (in seconds).

      The following API calls are related to app keys:

      • b2_authorize_account This operation uses an app key to generate an authorization token.The authorization token that is generated when you use an app key is limited to the capabilities of that app keyAuthorization tokens expire after 24 hours. You can use your app key to create new authorization tokens as they expire. 
      • b2_create_key This operation creates a new app key for your account.The bucketIds field can be used to restrict the key to a single bucket or group of bucket. You can configure expiration times for an app key. However, if an app key expires, you can not use it to generate authorization tokens, and it will not be listed by b2_list_keys.
      • b2_delete_key This operation deletes one app key.
      • b2_list_keys This operation lists all of the app keys in your account.

      Multi-Bucket Application Keys

      You can use a Multi-Bucket Application Key to restrict access to one or more buckets,including the option to limit access based on a single file prefix. Access to all other buckets is then unauthorized. To create a Multi-Bucket Application Key that is restricted to a specific bucket or group of buckets, simply include an array of bucket IDs in your b2_create_key request using the new bucketIds field.

      However, for app keys with the listAllBucketNames capability, you can still view all of the bucket names in the account.

      If you make a b2_list_buckets request with an app key that is restricted to one bucket, you must include the bucket ID (or name) in the request for that bucket.

      App keys that are restricted to a bucket can include only the following capabilities:

      • listAllBucketNames
      • listBuckets
      • readBuckets
      • writeBuckets
      • readBucketEncryption
      • writeBucketEncryption
      • readBucketRetentions
      • writeBucketRetentions
      • listFiles
      • readFiles
      • shareFiles
      • writeFiles
      • deleteFiles
      • readFileLegalHolds
      • writeFileLegalHolds
      • readFileRetentions
      • writeFileRetentions
      • bypassGovernance
      • readBucketReplications
      • writeBucketReplications
      • readBucketNotifications
      • writeBucketNotifications

      To list the files in the bucket, you must include a prefix at least as restrictive as the one in the app key; requests to list other files are denied. Reading, writing, and deleting are allowed only for matching files.

      The b2_authorize_account response includes an allowed field that contains the fields buckets, capabilities, and namePrefix to encapsulate application bucket restriction terms. Bucket-specific information, including the bucket id and name fields, is grouped within the buckets JSON object.

      More information on Multi-Bucket Application Keys can be found here.

      Was this article helpful?
      Related articles
      What's Next