While turbopuffer strives to be as low interaction as possible, there are certain manual operations you will have to perform in your BYOC deployment.
turbopuffer BYOC allows you to configure multiple organizations, each with their own set of API keys which you can use to scope data access. Currently, we only support creating admin API keys, that will apply to all namespaces in their organization. For this reason, if you need to ensure data is isolated we recommend creating multiple organizations instead. If this is a limitation, we recommend you contact us on Slack.
You can generate valid org IDs and API keys using any tooling that produces cryptographically random values. The format requirements are:
Org ID
[a-z0-9] (lowercase alphanumeric only)API Key
tpuf_[a-zA-Z0-9]tpuf_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXStored API Key Hash
base64(sha256(full_api_key))tpuf_ prefixYour BYOC kit includes a generate_secrets.py script that generates these values for you.
authentication:
allowed_api_keys_sha256:
"your24charorgidhere1234":
- "YourBase64EncodedSHA256HashHere+40CharactersTotal="
- "AnotherBase64EncodedSHA256HashHere+40CharactersTot="
To add more organizations, generate new org ID and API key pairs and add them to the configuration:
authentication:
allowed_api_keys_sha256:
"existingorgid123456789012":
- "ExistingOrgKeyHash..."
- "AnotherExistingOrgKeyHash..."
"neworgid0987654321abcdef":
- "NewOrgKeyHash..."
- "AnotherNewOrgKeyHash..."
Each organization can have multiple API keys for key rotation, different services, or other access patterns. To add a new API key, use the api_key.py script from your BYOC kit and append the generated hash to the organization's key list:
authentication:
allowed_api_keys_sha256:
"existingorgid123456789012":
- "ExistingOrgKeyHash..."
- "NewlyAddedKeyHash..."
After updating the configuration, apply the changes using the helm upgrade command.
