https://v1-18.docs.dapr.io/operations/security/Recent content in Securing Dapr deployments on Dapr DocsHugoenhttps://v1-18.docs.dapr.io/operations/security/mtls/Mon, 01 Jan 0001 00:00:00 +0000https://v1-18.docs.dapr.io/operations/security/mtls/<p>Dapr supports in-transit encryption of communication between Dapr instances using the Dapr control plane, Sentry service, which is a central Certificate Authority (CA).</p> <p>Dapr allows operators and developers to bring in their own certificates, or instead let Dapr automatically create and persist self-signed root and issuer certificates.</p> <p>For detailed information on mTLS, read the <a href="https://v1-18.docs.dapr.io/concepts/security-concept/">security concepts section</a>.</p> <p>If custom certificates have not been provided, Dapr automatically creates and persist self-signed certs valid for one year. In Kubernetes, the certs are persisted to a secret that resides in the namespace of the Dapr system pods, accessible only to them. In self-hosted mode, the certs are persisted to disk.</p>https://v1-18.docs.dapr.io/operations/security/oauth/Mon, 01 Jan 0001 00:00:00 +0000https://v1-18.docs.dapr.io/operations/security/oauth/<p>Dapr OAuth 2.0 <a href="https://v1-18.docs.dapr.io/operations/components/middleware/">middleware</a> allows you to enable <a href="https://oauth.net/2/">OAuth</a> authorization on Dapr endpoints for your web APIs using the <a href="https://tools.ietf.org/html/rfc6749#section-4.1">Authorization Code Grant flow</a>. You can also inject authorization tokens into your endpoint APIs which can be used for authorization towards external APIs called by your APIs using the <a href="https://tools.ietf.org/html/rfc6749#section-4.4">Client Credentials Grant flow</a>. When the middleware is enabled any method invocation through Dapr needs to be authorized before getting passed to the user code.</p> <p>The main difference between the two flows is that the <code>Authorization Code Grant flow</code> needs user interaction and authorizes a user where the <code>Client Credentials Grant flow</code> doesn&rsquo;t need a user interaction and authorizes a service/application.</p>https://v1-18.docs.dapr.io/operations/security/api-token/Mon, 01 Jan 0001 00:00:00 +0000https://v1-18.docs.dapr.io/operations/security/api-token/<p>By default, Dapr relies on the network boundary to limit access to its public API. If you plan on exposing the Dapr API outside of that boundary, or if your deployment demands an additional level of security, consider enabling the token authentication for Dapr APIs. This will cause Dapr to require every incoming gRPC and HTTP request for its APIs for to include authentication token, before allowing that request to pass through.</p>https://v1-18.docs.dapr.io/operations/security/app-api-token/Mon, 01 Jan 0001 00:00:00 +0000https://v1-18.docs.dapr.io/operations/security/app-api-token/<p>For some building blocks such as pub/sub, service invocation and input bindings, Dapr communicates with an app over HTTP or gRPC. To enable the application to authenticate requests that are arriving from the Dapr sidecar, you can configure Dapr to send an API token as a header (in HTTP requests) or metadata (in gRPC requests).</p> <h2 id="create-a-token">Create a token</h2> <p>Dapr uses shared tokens for API authentication. You are free to define the API token to use.</p>