Appearance
Authentication
All requests to the rrwebCloud API require authentication using API keys. This ensures proper data isolation between tenants and secures your recordings.
API Keys
rrwebCloud uses bearer token authentication with API keys issued through Clerk. Each API key is associated with a specific tenant and includes a subject identifier that's used for data isolation.
Obtaining Your API Key
You can obtain your public API key from your rrwebCloud dashboard. This key should be included in all requests to the API.
Using API Keys
JavaScript SDK
When using the JavaScript SDK, provide your public API key in the start() method:
javascript
import rrwebCloud from "@rrwebcloud/js-client";
rrwebCloud.start({
publicAPIkey: "your-public-api-key-here",
});See the JavaScript SDK documentation for more details.
HTTP API
For direct API requests, include your API key as a Bearer token in the Authorization header:
bash
curl -H "Authorization: Bearer your-api-key-here" \
https://api.rrwebcloud.com/rr/recordingsWebSocket Connections
For WebSocket connections from browsers, you must pass the API key as a query parameter since browsers cannot send custom headers with WebSocket requests:
javascript
// JavaScript SDK (handled automatically)
rrwebCloud.start({
publicAPIkey: "your-api-key-here",
});
// Manual WebSocket connection (if needed)
const ws = new WebSocket(
"wss://api.rrwebcloud.com/recordings/abc-123/ingest/ws?token=your-api-key-here",
);The JavaScript SDK handles this automatically when you provide the publicAPIkey - it appends ?token=your-api-key to the WebSocket URL.
Multi-Tenancy
rrwebCloud uses a multi-tenant architecture where each API key is associated with a unique tenant identifier (extracted from the key's subject). This ensures:
- Data Isolation: Your recordings and metadata are completely isolated from other tenants
- Secure Access: You can only access recordings belonging to your tenant
- Tenant-Based Filtering: All database queries automatically filter by your tenant ID
How It Works
- When you make a request with your API key, the backend validates it with Clerk
- The tenant ID is extracted from the API key's
subjectfield - All data writes (events, metadata) are tagged with your tenant ID
- All data reads automatically filter to only return your tenant's data
- Database indexes use tenant ID as the primary sorting key for optimal performance
Presigned URLs
For scenarios where you need to share recordings without exposing your API key, you can use presigned URLs. These URLs include:
- A tenant identifier (for data isolation)
- An expiration timestamp
- A cryptographic signature
Presigned URLs are generated server-side and can be safely shared. See the API documentation for details on generating presigned URLs.
Security Best Practices
- Never expose your API key in client-side code beyond the JavaScript SDK
- Use presigned URLs when you need to share recordings with third parties
- Rotate your keys regularly for enhanced security
- Monitor API usage to detect any unauthorized access
Rate Limiting
API requests are rate-limited per tenant to ensure fair usage and system stability. If you need higher limits, please contact support.