Access Control

To control access to the Synapse API for registering handlers, the administrator must enable access control through the synapse.auth.enabled property.

If access control is on, all the APIs that work on Synapse configuration expect clients to provide either a valid username and password combination or a valid token. A valid username/password combination is such that exists in Axon Server so it can verify the user has the correct roles for the request. Same for the token, it must exists in Axon Server with the required role.

The required roles for the specific request types are:

If you are using Axon Synapse in combination with Axon Server Standard edition the token must be the token specified in the Axon Server axoniq.axonserver.accesscontrol.token property for the GET operations, and the axoniq.axonserver.accesscontrol.admin-token property for the other requests.

When a client sends a request to Synapse, it needs to provide a token to authenticate itself. The client must provide this token through the X-API-KEY header. The token must be a valid token in Axon Server, for an application to execute the request type in the specified context.

If you are using Axon Synapse in combination with Axon Server Standard edition the token must be the token specified in the Axon Server axoniq.axonserver.accesscontrol.token property.

When you register a request handler in Synapse, you can specify two types of tokens:

The client token is the token that Synapse passes to the request handler. This way you can protect the request handler from illegal access. Axon Synapse passes the client token to the request handler as a Bearer token in the Authentication header.

Axon Server verifies the server token on requests to register the handler. It needs to be a valid application token, with a role that allows registering that type of handler. For instance, to register a command handler, you need the token of an application to contain one of the following roles in Axon Server: SUBSCRIBE_COMMAND_HANDLER, WRITE, or USE_CONTEXT.

If you are using Axon Synapse in combination with Axon Server Standard edition the token must be the token specified in the Axon Server axoniq.axonserver.accesscontrol.token property.