Skip to main content

Current Status

The Runtime API currently does not implement authentication. All endpoints are publicly accessible without requiring API keys, tokens, or other credentials.
Running the API without authentication in production environments poses security risks. It is strongly recommended to implement authentication before deploying to production.

Making API Requests

Since authentication is not currently required, you can make requests directly to any endpoint: 
curl -X POST http://localhost:8081/api/execute \
  -H "Content-Type: application/json" \
  -d '{
    "code": "print(42)",
    "language": "python"
  }'
No authentication headers are needed.

Security Considerations

While the API lacks authentication, it implements several security measures:

Docker Isolation

All code executes in isolated Docker containers, providing:
  • Process isolation - Code runs in a separate container environment
  • Resource limits - Memory and CPU constraints prevent resource exhaustion
  • Network isolation - Containers have restricted network access
  • Automatic cleanup - Containers are destroyed after execution

Input Validation

The API validates all incoming requests to ensure:
  • Valid language specification
  • Proper request format
  • Non-empty code submissions
For production deployments, consider implementing:
Implement API key-based authentication using Spring Security. Clients would include an API key in request headers:
curl -X POST http://localhost:8081/api/execute \
  -H "X-API-Key: your-api-key-here" \
  -H "Content-Type: application/json" \
  -d '{...}'
Use JSON Web Tokens (JWT) for stateless authentication. Clients would obtain a token and include it in the Authorization header:
curl -X POST http://localhost:8081/api/execute \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -d '{...}'
Implement rate limiting to prevent abuse:
  • Limit requests per IP address
  • Implement per-user quotas
  • Use libraries like Bucket4j or Spring Cloud Gateway
Secure your deployment infrastructure:
  • Use HTTPS/TLS for all communication
  • Deploy behind a reverse proxy (nginx, Apache)
  • Implement firewall rules
  • Use VPC/private networks in cloud environments

Implementation Example

To add basic API key authentication to the Runtime API, you would:
  1. Add Spring Security dependency to pom.xml
  2. Create a SecurityConfig class to configure authentication
  3. Implement an API key filter to validate keys
  4. Update the controller to require authentication
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .addFilterBefore(new ApiKeyAuthFilter(), 
                           UsernamePasswordAuthenticationFilter.class);
    }
}
These are simplified examples for illustration. Production authentication should use proper key management, secure storage, and comprehensive error handling.

Best Practices

When implementing authentication for the Runtime API:
1

Choose an authentication method

Select an approach based on your use case (API keys for service-to-service, JWT for user-facing applications)
2

Secure credential storage

Store API keys and secrets in environment variables or secure vaults (never in code)
3

Implement rate limiting

Protect against abuse even with authenticated requests
4

Enable HTTPS

Always use TLS encryption for production traffic
5

Monitor and log

Track authentication attempts and failed requests for security monitoring

Next Steps

API Overview

Return to the API overview

Execute Endpoint

Learn about the code execution endpoint

Build docs developers (and LLMs) love

Get started for freeTalk to us