Skip to content

docs: document API key auth, transport security, and WebSocket limitations #134

Description

@brucearctor

Summary

PR #124 adds API key authentication support but includes no documentation updates. This issue tracks the documentation needed before the v2.5.0 release.

Documentation Items

1. API Key Feature Documentation

  • Add apiKey to the configuration options table in README
  • Document data-api-key HTML attribute for script-tag deployment
  • Document the x-api-key HTTP header behavior
  • Show usage examples:
    <!-- Script tag -->
    <script src="userale.min.js" data-url="https://logs.example.com" data-api-key="your-key"></script>
    // NPM module
    userale.options({ apiKey: "your-key" });
  • Document the extension auth mode selector (None / OAuth / API Key)

2. Security Documentation — API Keys as Public Identifiers

  • Document that UserALE.js API keys are client-side identifiers (like Google Maps API keys), not secrets
  • The key is visible in page source (data-api-key), in the JS bundle, and in browser DevTools
  • Backend should treat these as routing/identification tokens with limited scope (write-only to log ingestion, no read access)
  • Recommend rate-limiting and key scoping on the backend

3. CORS / Preflight Documentation

  • x-api-key is NOT a CORS-safelisted header — it triggers a preflight OPTIONS request on cross-origin POST
  • Backend MUST respond to OPTIONS with Access-Control-Allow-Headers: x-api-key
  • This applies equally to the existing Authorization header
  • Provide a sample CORS configuration for common backends (nginx, Express, etc.)

4. WebSocket Transport Limitations

  • Document that authentication headers (Authorization, x-api-key) are NOT sent over WebSocket transport
  • WebSocket API does not support custom headers on the initial handshake
  • If auth is required with WebSocket, users should pass credentials as query parameters on the WebSocket URL or use a token in the first message

5. Relationship to headers Config

  • Document that apiKey is a convenience shortcut for headers: { "x-api-key": "..." }
  • Power users can use registerHeadersCallback() for dynamic header generation
  • apiKey and headers can coexist (custom headers are applied last and can override)

Context

Identified during review of #124. All items are documentation-only — no code changes required.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions