Dante Managed API Security Notes

A New API Endpoint will be Present from DDM 1.5

DDM 1.5 will, after installation or upgrade, expose a new GraphQL API endpoint on the server on the path '/graphql'.

The API endpoint can be disabled in the Administration Menu if absolutely necessary for security policy reasons. In this case the API endpoint should return ‘502 - Bad Gateway’.

We recommend against doing this, because in the near future we plan to use the API for core product features as well as end-user integrations. If disabled, the API endpoint can be re-enabled when needed via the Administration Menu.

API Access Control

All API access via this endpoint is access-controlled using API keys or user tokens. The API has the same permissions as the user whose API key or token is used for authentication.

Without an API key or user token, messages sent to the API endpoint are rejected.

Creation and management of API keys is done in the DDM web interface. Once enabled, any user can create an API key with equivalent permissions to their user account. API Key management is disabled by default; the Site Controller can enable this in the DDM web interface in Settings.

Encryption of API Calls

Assuming the DDM has a TLS certificate installed to enable web portal HTTPS, all communication with the API will also be encrypted with HTTPS. We strongly recommend installing a TLS certificate in any case.