37 lines
1.8 KiB
Markdown
37 lines
1.8 KiB
Markdown
# Wiki.js API Authentication & Security Strategy
|
|
|
|
## 1. Authentication Method
|
|
- **Token Type:** Permanent API Keys (Bearer Tokens)
|
|
- **Generation:** Generated via the Wiki.js Administration Area -> API Keys
|
|
- **Storage:** Stored as environment variables in the agent runtime environment (e.g., `WIKIJS_API_TOKEN`).
|
|
|
|
## 2. Permission Scopes
|
|
To maintain security, the API token used by agents will be restricted to the minimum necessary scopes:
|
|
|
|
| Scope | Requirement | Justification |
|
|
|-------|-------------|---------------|
|
|
| `write:pages` | Mandatory | Allows agents to create and update content |
|
|
| `read:pages` | Mandatory | Allows agents to check existing content before updates |
|
|
| `write:assets` | Mandatory | Allows Agent G to upload images/files |
|
|
| `read:assets` | Mandatory | Allows checking for existing assets |
|
|
| `read:tags` | Optional | Allows metadata tagging |
|
|
| `manage:system` | **Prohibited** | Agents must NOT have administrative system access |
|
|
|
|
## 3. Token Rotation Policy
|
|
- **Frequency:** Tokens should be rotated every 90 days.
|
|
- **Process:**
|
|
1. Generate new token in Wiki.js.
|
|
2. Update environment variable in agent deployment (Komodo/Docker).
|
|
3. Verify connectivity.
|
|
4. Revoke old token.
|
|
|
|
## 4. Write Access Control
|
|
- **Human Editing:** All human accounts in Wiki.js will be assigned to a "Read-Only" group.
|
|
- **Agent Editing:** Only the API account (associated with the token) will have write permissions.
|
|
- **Emergency Bypass:** A single "Admin" account will be maintained for emergency manual intervention, protected by 2FA.
|
|
|
|
## 5. Security Best Practices
|
|
- **TLS:** All API calls MUST be made over HTTPS.
|
|
- **IP Whitelisting:** If possible, Wiki.js should be configured to only accept API requests from the IP of the agent runner.
|
|
- **Audit Logs:** Enable Wiki.js audit logging to track all changes made via the API token.
|