Lariba Cloud
Lariba CloudOperational control plane
Available nowIn progressLast updated: June 2026

Authentication

Lariba Cloud uses different authentication models for dashboard users and external event producers. User sessions protect dashboard actions. Source API keys protect event ingestion.

Available now

Dashboard user session

Used by authenticated users inside the Lariba Cloud dashboard to manage workspaces, projects, sources, API keys, and operational views.

Available now

Source API key

Used by external systems to send events into Lariba Cloud through the Ingestion API.

Available now

Source trust boundary

Each source key should be scoped to a known Event Source, project, and ingestion permission boundary.

In progress

Browser-safe policies

Browser-facing keys should require explicit origin and event-type restrictions before being exposed to public clients.

User sessions vs source keys

Dashboard users authenticate with the application session to manage product configuration. External producers authenticate with a source API key to send events. A backend service, ERP connector, or worker should not use a dashboard user session for ingestion.

Available now

  • Source-scoped API keys
  • Source enable/disable lifecycle
  • Project-level source boundaries
  • Ingestion authentication with X-API-Key

In progress

  • Key rotation
  • Key expiry
  • Origin restrictions
  • Allowed event-type policies
  • Deeper audit coverage

Planned

  • Full RBAC hardening
  • Fine-grained team roles
  • Auditor-only access paths
  • Expanded policy engine

Key handling rules

Source API keys should be treated as secrets. Do not commit them to source control, expose them in logs, paste them into public issue trackers, or share them outside the system that owns the source.

Source API keys should not be exposed publicly unless a browser-safe key mode is explicitly configured with origin restrictions, allowed event types, and abuse controls.
If a source key is suspected to be compromised, disable the source or revoke the linked key, review recent activity, and issue a replacement credential for the producer.