1.8 KiB
1.8 KiB
Wiki.js API Authentication & Security Strategy
1. Authentication Method
- Token Type: Permanent API Keys (Bearer Tokens)
- Generation: Generated via the Wiki.js Administration Area -> API Keys
- Storage: Stored as environment variables in the agent runtime environment (e.g.,
WIKIJS_API_TOKEN).
2. Permission Scopes
To maintain security, the API token used by agents will be restricted to the minimum necessary scopes:
| Scope | Requirement | Justification |
|---|---|---|
write:pages |
Mandatory | Allows agents to create and update content |
read:pages |
Mandatory | Allows agents to check existing content before updates |
write:assets |
Mandatory | Allows Agent G to upload images/files |
read:assets |
Mandatory | Allows checking for existing assets |
read:tags |
Optional | Allows metadata tagging |
manage:system |
Prohibited | Agents must NOT have administrative system access |
3. Token Rotation Policy
- Frequency: Tokens should be rotated every 90 days.
- Process:
- Generate new token in Wiki.js.
- Update environment variable in agent deployment (Komodo/Docker).
- Verify connectivity.
- Revoke old token.
4. Write Access Control
- Human Editing: All human accounts in Wiki.js will be assigned to a "Read-Only" group.
- Agent Editing: Only the API account (associated with the token) will have write permissions.
- Emergency Bypass: A single "Admin" account will be maintained for emergency manual intervention, protected by 2FA.
5. Security Best Practices
- TLS: All API calls MUST be made over HTTPS.
- IP Whitelisting: If possible, Wiki.js should be configured to only accept API requests from the IP of the agent runner.
- Audit Logs: Enable Wiki.js audit logging to track all changes made via the API token.