Stats API Authentication and Security
For security reasons, the Stats API caller must use HTTPS, as any non-HTTPS calls will be redirected to HTTPS endpoints.
Authentication of Stats API calls will be through the Authorization HTTP header. The caller must use both the access and secret keys (access:secret) provided by Wasabi as the Authorization header value.
You can find, generate, and rotate access keys within the Wasabi Console Access Keys feature.
The keys used must be from a Root account, have associated billing permissions, or have associated stats access permissions.
Keep the keys safe and protected. Use them only in trusted server-to-server communications. Do not put the keys in any untrusted environments (such as browser-side JavaScript) or otherwise expose them to unauthorized personnel.
To better control Stats API access, Wasabi provides Stats API policies such as WasabiAccountStatsAccess (full access for root users) and WasabiBucketStatsAccess (limited access for sub-users).