Skip to content

Worker authentication

Two available strategies can be used to authenticate Workers against a Server.

StrategyFeatures
API keyRequires explicit initial setup on Server for each Worker
Auto-EnrollmentServer is configured once with a shared secret, which is re-used by Worker

API Key Authentication

Known as the default strategy, API key authentication is useful when further control is needed over Worker authentication. It’s especially useful for Workers running on untrusted (or less-trusted) systems. With this strategy, Workers must be configured and authorized on the Server before they are allowed to connect to the Server.

Adding a new Worker involves the following two steps, as well as specific configuration:

Server Configuration

  1. Create a new Worker with a name. As an option, customize the Worker ID.

  2. Create a new API key on the Server, or re-use an existing API key.

Worker Configuration

Under the Worker startup settings:

  1. Configure the Worker ID (LYFTDATA_WORKER_ID) and API key (LYFTDATA_WORKER_API_KEY) as per the Server configuration above.

Auto-Enrollment Authentication

Auto-Enrollment uses a shared secret, configured once on the Server and then re-used among Workers. Unlike the API key strategy, adding new Workers does not require initial Server configuration. Because of the shared secret, it’s recommended to only use this strategy for Workers running on trusted or self-managed systems.

The Auto-Enrollment strategy is disabled by default on the Server. Enable it as follows:

Server

  1. Configure a shared secret in the Server startup settings (LYFTDATA_AUTO_ENROLLMENT_KEY).

Worker

  1. Configure an Worker with a name (LYFTDATA_WORKER_NAME) and the Server shared secret (LYFTDATA_AUTO_ENROLLMENT_KEY).

  2. Do not give the Worker an ID or API key (LYFTDATA_WORKER_ID).

The Server will automatically create Worker entries for any connecting Workers using the Server Auto-Enrollment secret.

:::note SecuRity Use a randomly generated value of at least 32 characters for the shared secret, for example: c3s3R0s1T5QAQr7lz1KsT00pKh3adnma. :::