Dumb question, api key for app? Protect project but allow app to read some docs without login?
- 0
- Flutter
- Databases
- Auth
- Self Hosted
- REST API

I have my project set up, and I'm developing with Flutter. My app does not require users to log in to retrieve some general project data, but authentication is needed for other functionalities, data, docs, collections, etc. I understand that each document has its own access control levels, which is great. However, regarding the documents that the app can read without requiring login, the only options I see are "any" or "all guests".
If I set it to "any", the data is exposed to anyone worldwide, regardless of the client making the request (e.g., a simple curl command).
If I use "all guests", an anonymous session must be created (createAnonymousSession()) for it to work. Am I understanding this correctly?
Now, regarding the anonymous session, anyone could technically create an anonymous session and then access documents that are set to "all guests", correct?
My concern:
How can I protect my project so that both guests and authenticated users can read the documents/collections required for the app to function, but without allowing just anyone to create an anonymous session and access the documents outside of my app (e.g., via curl or a custom script)?
My goal:
I want to ensure that only my app can read the required documents/collections without the user having to log in, but no one outside my app should be able to access them.
Would creating an API key with the "Auth - sessions.write" permission be the solution? However, as I understand it, this would grant the entire app permission to create, update, and delete sessions for any user, right? That doesn't seem like the right approach for securing my project in the way I intend.
What would be the best way to achieve this?
Recommended threads
- Document Data is null.
I'm using flutter and I've just got everything set up, the document meta data is null but the actual query is fine. (see screenshot) The permission I have ar...
- Flutter native Google Sign Up with googl...
Hey I want to use the native login instead of the WebView. Do you have any experience on that and has Appwrite to plan this support?
- cli 5.0.5 command for pull and push of d...
Hi i am using selfhosted appwrite 1.5.10, for migration (duplicate project) purpose i am using cli 5.0.5, but i am unable to find commands for pull and push, wh...
