Merge pull request #1407 from qdrant/chore/seb/jwt_docs

Add docs on Database API keys on Managed Cloud
qdrant · Jan 27, 2025 · 56d9911 · 56d9911
2 parents 976eb5b + e243212
commit 56d9911
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 16 deletions.
diff --git a/qdrant-landing/content/documentation/cloud/authentication.md b/qdrant-landing/content/documentation/cloud/authentication.md
@@ -5,31 +5,50 @@ weight: 30
 
 # Database Authentication in Qdrant Managed Cloud
 
-This page shows you how to use the Qdrant Cloud Console to create a Database API key for a cluster. You will learn how to connect to your cluster using the new API key.
+This page describes what Database API keys are and shows you how to use the Qdrant Cloud Console to create a Database API key for a cluster. You will learn how to connect to your cluster using the new API key.
+
+Database API keys can be configured with granular access control. Database API keys with granular access control can be recognized by starting with `eyJhb`. Please refer to the [Table of access](/documentation/guides/security/#table-of-access) to understand what permissions you can configure.
 
 ## Create Database API keys
 
-The API key is only shown once after creation. If you lose it, you will need to create a new one. 
-However, we recommend rotating the keys from time to time. To create additional API keys do the following.
+<aside role="alert">
+    The API key is only shown once after creation. If you lose it, you will need to create a new one. 
+</aside>
 
 1. Go to the [Cloud Dashboard](https://qdrant.to/cloud).
 2. Go to the **API Keys** section of the Cluster detail page.
-3. Click **Create**. If you have granular access control activated, you can now configure the permissions for the new key.
-4. Click **OK** and retrieve your API key. 
+3. Click **Create**.
+4. Choose a name and an optional expiration (in days, the default is 90 days) for your API key. An empty expiration will result in no expiration.
+5. By default, tokens are given cluster-wide permissions, with a choice between manage/write permissions (default) or read-only.<br/><br/>To restrict a token to a subset of collections, you can select the Collections tab and choose from the collections available in your cluster.
+6. Click **Create** and retrieve your API key.
+
+We recommend configuring an expiration and rotating your API keys regularly as a security best practice.
+
+## Admin Database API keys
+
+The previous iteration of Database API keys, called Admin Database API keys, do not have granular access control. Clusters created before January 27, 2025 will still see the option to create Admin Database API keys. Older Admin Database API keys will continue to work but we do recommend switching to Database API keys with granular access control to take advantage of better security controls.
+
+<aside role="alert">
+    Enabling Database API keys with granular access control will trigger a restart of your cluster.
+</aside>
+
+To enable Database API keys with granular access control, click **Enable** on the **API Keys** section of the Cluster detail page.
+
+After enabling Database API keys with granular access control for a cluster, existing Admin Database API keys will continue to work, but you will not be able to create new Admin Database API Keys.
 
 ## Test cluster access
 
 After creation, you will receive a code snippet to access your cluster. Your generated request should look very similar to this one:
 
 ```bash
 curl \
-  -X GET 'https://xyz-example.eu-central.aws.cloud.qdrant.io:6333' \
+  -X GET 'https://xyz-example.cloud-region.cloud-provider.cloud.qdrant.io:6333' \
   --header 'api-key: <paste-your-api-key-here>'
 ```
 Open Terminal and run the request. You should get a response that looks like this:
 
 ```bash
-{"title":"qdrant - vector search engine","version":"1.8.1"}
+{"title":"qdrant - vector search engine","version":"1.13.0","commit":"ffda0b90c8c44fc43c99adab518b9787fe57bde6"}
 ```
 
 > **Note:** You need to include the API key in the request header for every
@@ -42,20 +61,20 @@ Our [official Qdrant clients](/documentation/interfaces/) for Python, TypeScript
 
 ```bash
 curl \
-  -X GET https://xyz-example.eu-central.aws.cloud.qdrant.io:6333 \
+  -X GET https://xyz-example.cloud-region.cloud-provider.cloud.qdrant.io:6333 \
   --header 'api-key: <provide-your-own-key>'
 
 # Alternatively, you can use the `Authorization` header with the `Bearer` prefix
 curl \
-  -X GET https://xyz-example.eu-central.aws.cloud.qdrant.io:6333 \
+  -X GET https://xyz-example.cloud-region.cloud-provider.cloud.qdrant.io:6333 \
   --header 'Authorization: Bearer <provide-your-own-key>'
 ```
 
 ```python
 from qdrant_client import QdrantClient
 
 qdrant_client = QdrantClient(
-    "xyz-example.eu-central.aws.cloud.qdrant.io",
+    "xyz-example.cloud-region.cloud-provider.cloud.qdrant.io",
     api_key="<paste-your-api-key-here>",
 )
 ```
@@ -64,15 +83,15 @@ qdrant_client = QdrantClient(
 import { QdrantClient } from "@qdrant/js-client-rest";
 
 const client = new QdrantClient({
-  host: "xyz-example.eu-central.aws.cloud.qdrant.io",
+  host: "xyz-example.cloud-region.cloud-provider.cloud.qdrant.io",
   apiKey: "<paste-your-api-key-here>",
 });
 ```
 
 ```rust
 use qdrant_client::Qdrant;
 
-let client = Qdrant::from_url("https://xyz-example.eu-central.aws.cloud.qdrant.io:6334")
+let client = Qdrant::from_url("https://xyz-example.cloud-region.cloud-provider.cloud.qdrant.io:6334")
     .api_key("<paste-your-api-key-here>")
     .build()?;
 ```
@@ -84,7 +103,7 @@ import io.qdrant.client.QdrantGrpcClient;
 QdrantClient client =
     new QdrantClient(
         QdrantGrpcClient.newBuilder(
-                "xyz-example.eu-central.aws.cloud.qdrant.io",
+                "xyz-example.cloud-region.cloud-provider.cloud.qdrant.io",
                 6334,
                 true)
             .withApiKey("<paste-your-api-key-here>")
@@ -95,7 +114,7 @@ QdrantClient client =
 using Qdrant.Client;
 
 var client = new QdrantClient(
-  host: "xyz-example.eu-central.aws.cloud.qdrant.io",
+  host: "xyz-example.cloud-region.cloud-provider.cloud.qdrant.io",
   https: true,
   apiKey: "<paste-your-api-key-here>"
 );
@@ -105,7 +124,7 @@ var client = new QdrantClient(
 import "github.com/qdrant/go-client/qdrant"
 
 client, err := qdrant.NewClient(&qdrant.Config{
-	Host:   "xyz-example.eu-central.aws.cloud.qdrant.io",
+	Host:   "xyz-example.cloud-region.cloud-provider.cloud.qdrant.io",
 	Port:   6334,
 	APIKey: "<paste-your-api-key-here>",
 	UseTLS: true,

diff --git a/qdrant-landing/content/documentation/guides/security.md b/qdrant-landing/content/documentation/guides/security.md
@@ -148,7 +148,7 @@ Both API keys can be used simultaneously.
 *Available as of v1.9.0*
 
 For more complex cases, Qdrant supports granular access control with [JSON Web Tokens (JWT)](https://jwt.io/).
-This allows you to have tokens, which allow restricited access to a specific parts of the stored data and build [Role-based access control (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) on top of that.
+This allows you to create tokens which restrict access to data stored in your cluster, and build [Role-based access control (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) on top of that.
 In this way, you can define permissions for users and restrict access to sensitive endpoints.
 
 To enable JWT-based authentication in your own Qdrant instance you need to specify the `api-key` and enable the `jwt_rbac` feature in the configuration: