Dumb question, api key for app? Protect project but allow app to read some docs without login?
- 0
- Flutter
- Databases
- Auth
- Self Hosted
- REST API

I have my project set up, and I'm developing with Flutter. My app does not require users to log in to retrieve some general project data, but authentication is needed for other functionalities, data, docs, collections, etc. I understand that each document has its own access control levels, which is great. However, regarding the documents that the app can read without requiring login, the only options I see are "any" or "all guests".
If I set it to "any", the data is exposed to anyone worldwide, regardless of the client making the request (e.g., a simple curl command).
If I use "all guests", an anonymous session must be created (createAnonymousSession()) for it to work. Am I understanding this correctly?
Now, regarding the anonymous session, anyone could technically create an anonymous session and then access documents that are set to "all guests", correct?
My concern:
How can I protect my project so that both guests and authenticated users can read the documents/collections required for the app to function, but without allowing just anyone to create an anonymous session and access the documents outside of my app (e.g., via curl or a custom script)?
My goal:
I want to ensure that only my app can read the required documents/collections without the user having to log in, but no one outside my app should be able to access them.
Would creating an API key with the "Auth - sessions.write" permission be the solution? However, as I understand it, this would grant the entire app permission to create, update, and delete sessions for any user, right? That doesn't seem like the right approach for securing my project in the way I intend.
What would be the best way to achieve this?
Recommended threads
- Bypass Error When Creating Account With ...
Suppose user first uses email/pass for log in using xyz@gmail.com, few month later on decides to use google oauth2 with same xyz@gmail.com (or in reverse orde...
- Error while usining domain
While usining domain and im im messaging tab i see: 500 Internal Error But when i use IP:PORT i see this: (Photo) Where is problem The console looks like t...
- Realtime Memory Usage
Appwrite-Realtime container has been acting strangely lately. None of my functions use this feature, but it has been consuming a large chunk of memory. When I s...
