An Access Grant is a security envelope that contains a satellite address, a restricted API Key, and a set of one or more restricted prefix-based encryption keys—everything an application needs to locate an object on the network, access that object, and decrypt it.
Access Grants coordinate two parallel constructs—encryption and authorization in a way that makes it easy to share data without having to manage access control lists or use complex encryption tools. Both of these constructs work together to provide a client-side access management framework that’s secure and private, as well as extremely flexible for application developers.
To make the implementation of these constructs as easy as possible for developers, the Storj DCS developer tools abstract the complexity of encoding objects for access management and encryption/decryption. A simple share command encapsulates an encryption key, an API Key (a bearer token), and the appropriate Satellite address into an encoded string called an Access Grant.
Access Grants can be imported easily into an Uplink client, whether it's the CLI, developer library, or a client application. Imported Access Grants are managed client-side and may be leveraged in applications via the uplink client library.
Access Grants can be restricted both from the server side (at the Satellite) and from the client side using the CLI or libuplink library, a serialized, hierarchically derived structure. When creating restricted access grants, both the API Key and the encryption key are hierarchically derived automatically from the parent Access Grant.