When I use the transcoding interface, I can still request without passing authentication. How can I restrict the transmission of specific credentials

yujikuan · 6 July 2025 10:10

文档
图片
43/1000

When I use the transcoding interface, I can still request without passing authentication. How can I restrict the transmission of specific credentials。
My request method is as follows:

curl --location --request POST 'https://xxx.com/cool/convert-to/pdf' \
--form 'data=@"C:\\Users\\yujik\\Downloads\\第一阶段第3次课_3.docx"'

refer to

local.json

 "token": {
        "enable": {
          "request": {
            "inbox": true,
            "outbox": true
          },
          "browser": true
        },
        "inbox": {
          "header": "Authorization"
        },
        "outbox": {
          "header": "Authorization"
        }
      },
      "secret": {
        "inbox": {
          "string": "xxx"
        },
        "outbox": {
          "string": "xxx"
        },
        "session": {
          "string": "xxx"
        }
      }

Constantine · 8 July 2025 08:51

Hello @yujikuan

Do I understand that you are using WOPI conversion API? Is WOPI used for integration in general?

yujikuan · 9 July 2025 03:12

I used the wopi method, but I found that this interface can be called without any restrictions. How can I restrict it through credentials such as tokens, instead of calling this interface for everyone. How to configure additional restrictions? I don’t know if you understand what I mean? Looking forward to your reply.

Alexandre · 15 July 2025 09:36

Hello @yujikuan
If you don’t mind, I will join this thread as well.
We’re checking the situation, I will contact you shortly.

Alexandre · 16 July 2025 09:11

Hello @yujikuan
You can use IP filter to restrict it: Configuring IP filter for ONLYOFFICE Docs
Sample of config:

"ipfilter": {
                                "rules": [{"address": "xx.xxx.xxx.xxx", "allowed": true}, {"address": "*", "allowed": false}],
                                "useforrequest": true,
                                "errorcode": 403
                        },

yujikuan · 26 July 2025 06:12

Thank you for your recovery. I noticed that this configuration is not very flexible and the scope of services is difficult to confirm. Personally, I feel that it would be better to have a set of credential configurations.

Alexandre · 31 July 2025 07:55

Hello @yujikuan
Could you please elaborate your idea? Do I understand it right that the desired scenario is some sort of combination of ip filter and credential configuration? If you can provide an example, it would be appreciated.

yujikuan · 28 February 2026 05:09

What I mean is: we should pass something like a key for authentication. Only requests that provide this key should be allowed to perform the transcoding. It should not be open for anyone who discovers the URL to use the transcoding service freely. I hope that makes my point clear.

Alexandre · 12 March 2026 15:34

I see your point, but the service is not open to everyone when ipfilter is enabled. Only requests from allowed IPs can access it.