viewer icon indicating copy to clipboard operation
viewer copied to clipboard
verified publisher icon iTwin

Natively support Share Keys

Open aruniverse opened this issue 7 months ago • 4 comments

The iTwin Platform now supports "Share Keys". The iModels Share API provides a way to publicly share an iModel without needing to authenticate.

Today you can still use the share key with the viewer, but not as easily as it should be. The <Viewer /> component should be able to accept a prop for a share key. Either a new prop or re-use the authClient prop.

Example of working share key in viewer

cc @pbell97 @davidhjones

aruniverse avatar Jul 23 '25 17:07 aruniverse

I'm assuming the viewer will want to handle cases where a share key and the standard auth client can be used...?

Like, if the user has access on an iTwin level to some resources, that the iModel's share key doesn't have

hl662 avatar Jul 23 '25 18:07 hl662

I dont think we should handle that and should focus on happy path

aruniverse avatar Jul 23 '25 18:07 aruniverse

The 'iModels Share API' link you included is the old method of sharing (only an iModel, and I think might eventually be deprecated?). The correct documentation is the iTwin Sharing API here, which is part of the Access Control API. The 'default' contract which is documented in the link has a limited set of supported URLs, but we help individual applications create their own share contracts for using an expanded set of URLs for additional use cases (ex. iTwin Experience has a unique set of URLs for their workflow, and those shares can only be created through their application). We intentionally don't have all URLs whitelisted for the public 'default' contract in order to prevent 3rd party users from skirting around paying for the more expensive APIs.

Anyone who is interesting in developing a share contract for their application's workflow, please feel free to reach out to @davidhjones and I.

pbell97 avatar Jul 23 '25 19:07 pbell97

I'd like to call out that the default contract does not include the /rpc/ endpoints needed by itwin.js. This is an intentional decision, meant to limit the scope of 'default' usage -- remember 'sharing' is free, and thus, could run up usage quite easily with its viral possibilities.

This could be a deal breaker for natively supporting share keys in itwin js?

Furthermore, I do want to reiterate what @pbell97 was calling out. Share keys can support the /rpc/ endpoint, but that would require either

  1. Expanding the scope of the default contract to allow /rpc/ requests
  2. Creating a new share contract which allows /rpc/ requests, which would be used to generate itwin.js compatible keys, and would be potentially feature-gated behind a subscription or some other paywall.

@shehzan10 -- I suspect we need to touch base on this decision. Its recently impacted this effort, as well as the consumption of sharing in cesiumjs / cesium+itwin showcases & itwin sandbox.

davidhjones avatar Aug 07 '25 14:08 davidhjones