# Multi-tenant Authentication with API Keys

This notebook demonstrates how to use TimeDB's authentication system with API keys and tenant isolation.

## What we'll cover:
1. Setting up the database schema with users table
2. Creating tenants and users via CLI
3. Using API keys to authenticate requests
4. Demonstrating tenant isolation (each user only sees their own data)
5. Testing authentication enforcement

In [2]:
import os
import uuid
import subprocess
import requests
import pandas as pd
from datetime import datetime, timezone, timedelta
from dotenv import load_dotenv
load_dotenv()

# Use TEST_TIMEDB_DSN for testing (falls back to DATABASE_URL if not set)
DATABASE_URL = os.environ.get("TEST_TIMEDB_DSN") or os.environ.get("DATABASE_URL")
if not DATABASE_URL:
    raise ValueError("Please set TEST_TIMEDB_DSN or DATABASE_URL environment variable")

# IMPORTANT: Override both TIMEDB_DSN and DATABASE_URL so the API server uses the same database
# The API reads from TIMEDB_DSN first, then falls back to DATABASE_URL
os.environ["TIMEDB_DSN"] = DATABASE_URL
os.environ["DATABASE_URL"] = DATABASE_URL

# API base URL
API_BASE_URL = "http://127.0.0.1:8000"

print(f"Database URL configured: {DATABASE_URL[:50]}...")
print(f"Environment variables set for API server")
print(f"API URL: {API_BASE_URL}")

Database URL configured: postgres://tsdbadmin:sykc9mku4fxsd4ya@u4c7ocoul8.r...
Environment variables set for API server
API URL: http://127.0.0.1:8000


## Part 1: Setup Database Schema with Users Table

First, we'll create the database schema including the users table for authentication.

In [3]:
# Delete existing schema (for a clean start)
result = subprocess.run(
    ["timedb", "delete", "tables", "--dsn", DATABASE_URL, "-y"],
    capture_output=True,
    text=True
)
print("Delete tables:", result.stdout or result.stderr)

# Create schema with users table
result = subprocess.run(
    ["timedb", "create", "tables", "--dsn", DATABASE_URL, "--with-users", "-y"],
    capture_output=True,
    text=True
)
print("Create tables:", result.stdout or result.stderr)

Delete tables: [32m✓[0m All timedb tables deleted

Create tables: Creating database schema...
✓ Schema created successfully
[32m✓[0m Base timedb tables created
[32m✓[0m Users table created

[1;32mSchema created successfully![0m



## Part 2: Create Tenants and Users

Now we'll create two separate tenants, each with their own user. Each user gets a unique API key that is tied to their tenant_id.

In [4]:
# Generate two tenant IDs
tenant_a_id = str(uuid.uuid4())
tenant_b_id = str(uuid.uuid4())

print(f"Tenant A ID: {tenant_a_id}")
print(f"Tenant B ID: {tenant_b_id}")

Tenant A ID: adbe46ce-04e5-4352-8aa9-6accf88a9aeb
Tenant B ID: ed1c643e-158f-4183-bbac-b9711dedd908


In [5]:
# Create User A for Tenant A
result = subprocess.run(
    ["timedb", "users", "create", 
     "--dsn", DATABASE_URL, 
     "--tenant-id", tenant_a_id, 
     "--email", "alice@tenant-a.com"],
    capture_output=True,
    text=True
)
print(result.stdout)
if result.returncode != 0:
    print("Error:", result.stderr)

# Extract API key from output
for line in result.stdout.split('\n'):
    if 'API Key:' in line:
        api_key_a = line.split('API Key:')[1].strip()
        print(f"\nStored API Key A: {api_key_a}")

[32m╭─[0m[32m─────────────────────────────────[0m[32m New User [0m[32m─────────────────────────────────[0m[32m─╮[0m
[32m│[0m [1;32mUser created successfully![0m                                                   [32m│[0m
[32m│[0m                                                                              [32m│[0m
[32m│[0m   User ID:   [36md5acf895-2df1-4f0f-b6fe-d2cd32653e12[0m                            [32m│[0m
[32m│[0m   Tenant ID: [36madbe46ce-04e5-4352-8aa9-6accf88a9aeb[0m                            [32m│[0m
[32m│[0m   Email:     [36malice@tenant-a.com[0m                                              [32m│[0m
[32m│[0m                                                                              [32m│[0m
[32m│[0m   [1;33mAPI Key:[0m [1miEouF5yCZIzYCtsbmdWAfx85a8SdF_wrjBVitVyV0S4[0m                       [32m│[0m
[32m╰──────────────────────────────────────────────────────────────────────────────╯[0m

[33m⚠ Save the API key - it will

In [6]:
# Create User B for Tenant B
result = subprocess.run(
    ["timedb", "users", "create", 
     "--dsn", DATABASE_URL, 
     "--tenant-id", tenant_b_id, 
     "--email", "bob@tenant-b.com"],
    capture_output=True,
    text=True
)
print(result.stdout)
if result.returncode != 0:
    print("Error:", result.stderr)

# Extract API key from output
for line in result.stdout.split('\n'):
    if 'API Key:' in line:
        api_key_b = line.split('API Key:')[1].strip()
        print(f"\nStored API Key B: {api_key_b}")

[32m╭─[0m[32m─────────────────────────────────[0m[32m New User [0m[32m─────────────────────────────────[0m[32m─╮[0m
[32m│[0m [1;32mUser created successfully![0m                                                   [32m│[0m
[32m│[0m                                                                              [32m│[0m
[32m│[0m   User ID:   [36m92129dc8-90d2-4fd7-82f0-568ecfd5c3b0[0m                            [32m│[0m
[32m│[0m   Tenant ID: [36med1c643e-158f-4183-bbac-b9711dedd908[0m                            [32m│[0m
[32m│[0m   Email:     [36mbob@tenant-b.com[0m                                                [32m│[0m
[32m│[0m                                                                              [32m│[0m
[32m│[0m   [1;33mAPI Key:[0m [1mFK_eCuq9kggfLHBfCoicWxcogKcZJJSwQieFf_aymD4[0m                       [32m│[0m
[32m╰──────────────────────────────────────────────────────────────────────────────╯[0m

[33m⚠ Save the API key - it will

In [7]:
# List all users to verify
result = subprocess.run(
    ["timedb", "users", "list", "--dsn", DATABASE_URL],
    capture_output=True,
    text=True
)
print(result.stdout)

[3m                                  Users (2)                                   [0m
┏━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓
┃[1m [0m[1mEmail             [0m[1m [0m┃[1m [0m[1mUser ID    [0m[1m [0m┃[1m [0m[1mTenant ID  [0m[1m [0m┃[1m [0m[1mStatus[0m[1m [0m┃[1m [0m[1mCreated         [0m[1m [0m┃
┡━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩
│[36m [0m[36mbob@tenant-b.com  [0m[36m [0m│[2m [0m[2m92129dc8...[0m[2m [0m│[2m [0m[2med1c643e...[0m[2m [0m│ [32mactive[0m │[2m [0m[2m2026-02-02 16:31[0m[2m [0m│
│[36m [0m[36malice@tenant-a.com[0m[36m [0m│[2m [0m[2md5acf895...[0m[2m [0m│[2m [0m[2madbe46ce...[0m[2m [0m│ [32mactive[0m │[2m [0m[2m2026-02-02 16:31[0m[2m [0m│
└────────────────────┴─────────────┴─────────────┴────────┴──────────────────┘



## Part 3: Start the API Server

Now we start the API server. With the users_table present, authentication will be **required** for all endpoints.

In [8]:
import subprocess
import time
import requests

# IMPORTANT: Kill any existing API server first to ensure we start fresh
# with the correct database connection
result = subprocess.run(["pkill", "-f", "uvicorn.*timedb"], capture_output=True)
if result.returncode == 0:
    print("Killed existing API server")
    time.sleep(2)  # Wait for port to be released

# Verify environment is set correctly
import os
print(f"TIMEDB_DSN: {os.environ.get('TIMEDB_DSN', 'NOT SET')[:60]}...")
print(f"DATABASE_URL: {os.environ.get('DATABASE_URL', 'NOT SET')[:60]}...")

# Start API server in background using CLI
process = subprocess.Popen(
    ["timedb", "api", "--host", "127.0.0.1", "--port", "8000"],
    stdout=subprocess.DEVNULL,
    stderr=subprocess.DEVNULL
)
time.sleep(3)

# Check API
try:
    response = requests.get(f"{API_BASE_URL}/")
    print(f"\nAPI is running: {response.json()['name']}")
except Exception as e:
    print(f"API check failed: {e}")

TIMEDB_DSN: postgres://tsdbadmin:sykc9mku4fxsd4ya@u4c7ocoul8.rtk6pbr2su....
DATABASE_URL: postgres://tsdbadmin:sykc9mku4fxsd4ya@u4c7ocoul8.rtk6pbr2su....

API is running: TimeDB API


## Part 4: Test Authentication Enforcement

Let's verify that authentication is required when the users_table exists.

In [9]:
# Test request WITHOUT API key - should return 401
response = requests.get(f"{API_BASE_URL}/values")
print(f"Request without API key:")
print(f"  Status: {response.status_code}")
print(f"  Response: {response.json()}")

Request without API key:
  Status: 401
  Response: {'detail': 'API key required. Please provide X-API-Key header.'}


In [10]:
# Test request with INVALID API key - should return 401
response = requests.get(
    f"{API_BASE_URL}/values",
    headers={"X-API-Key": "invalid-key-12345"}
)
print(f"Request with invalid API key:")
print(f"  Status: {response.status_code}")
print(f"  Response: {response.json()}")

Request with invalid API key:
  Status: 401
  Response: {'detail': 'Invalid or inactive API key.'}


In [11]:
# Test request with VALID API key - should return 200
response = requests.get(
    f"{API_BASE_URL}/values",
    headers={"X-API-Key": api_key_a}
)
print(f"Request with valid API key (User A):")
print(f"  Status: {response.status_code}")
print(f"  Response: {response.json()}")

UnicodeEncodeError: 'latin-1' codec can't encode character '\u2502' in position 84: ordinal not in range(256)

## Part 5: Demonstrate Tenant Isolation

Now let's upload data from both users and verify that each user can only see their own tenant's data.

In [None]:
# User A uploads temperature data
base_time = datetime(2025, 1, 1, 0, 0, tzinfo=timezone.utc)

value_rows_a = [
    {"valid_time": (base_time + timedelta(hours=i)).isoformat(), 
     "value_key": "temperature_a", 
     "value": 20.0 + i}
    for i in range(6)
]

response = requests.post(
    f"{API_BASE_URL}/upload",
    json={
        "batch_start_time": datetime.now(timezone.utc).isoformat(),
        "value_rows": value_rows_a
    },
    headers={"X-API-Key": api_key_a, "Content-Type": "application/json"}
)
print(f"User A upload status: {response.status_code}")
print(f"Response: {response.json()}")

In [None]:
# User B uploads humidity data
value_rows_b = [
    {"valid_time": (base_time + timedelta(hours=i)).isoformat(), 
     "value_key": "humidity_b", 
     "value": 50.0 + i}
    for i in range(6)
]

response = requests.post(
    f"{API_BASE_URL}/upload",
    json={
        "batch_start_time": datetime.now(timezone.utc).isoformat(),
        "value_rows": value_rows_b
    },
    headers={"X-API-Key": api_key_b, "Content-Type": "application/json"}
)
print(f"User B upload status: {response.status_code}")
print(f"Response: {response.json()}")

In [None]:
# User A reads data - should ONLY see their own data (temperature_a)
response = requests.get(
    f"{API_BASE_URL}/values",
    params={
        "start_valid": base_time.isoformat(),
        "end_valid": (base_time + timedelta(hours=6)).isoformat(),
        "mode": "flat"
    },
    headers={"X-API-Key": api_key_a}
)
data_a = response.json()
print(f"User A sees {data_a['count']} records:")
if data_a['count'] > 0:
    df_a = pd.DataFrame(data_a['data'])
    print(df_a[['valid_time', 'name', 'value']])
    print(f"\nSeries names visible to User A: {df_a['name'].unique().tolist()}")

In [None]:
# User B reads data - should ONLY see their own data (humidity_b)
response = requests.get(
    f"{API_BASE_URL}/values",
    params={
        "start_valid": base_time.isoformat(),
        "end_valid": (base_time + timedelta(hours=6)).isoformat(),
        "mode": "flat"
    },
    headers={"X-API-Key": api_key_b}
)
data_b = response.json()
print(f"User B sees {data_b['count']} records:")
if data_b['count'] > 0:
    df_b = pd.DataFrame(data_b['data'])
    print(df_b[['valid_time', 'name', 'value']])
    print(f"\nSeries names visible to User B: {df_b['name'].unique().tolist()}")

In [None]:
# Verify tenant isolation
print("Tenant Isolation Verification:")
print(f"  User A (Tenant A) sees: {data_a['count']} records")
print(f"  User B (Tenant B) sees: {data_b['count']} records")
print("")

# Check that they see different data
if data_a['count'] > 0 and data_b['count'] > 0:
    series_a = set(pd.DataFrame(data_a['data'])['name'].unique())
    series_b = set(pd.DataFrame(data_b['data'])['name'].unique())
    overlap = series_a & series_b
    
    if len(overlap) == 0:
        print("SUCCESS: No overlapping series between tenants!")
        print(f"  Tenant A series: {series_a}")
        print(f"  Tenant B series: {series_b}")
    else:
        print(f"WARNING: Found overlapping series: {overlap}")

## Part 6: User Deactivation

Let's demonstrate how deactivating a user revokes their API access.

In [None]:
# Deactivate User B
result = subprocess.run(
    ["timedb", "users", "deactivate", 
     "--dsn", DATABASE_URL, 
     "--email", "bob@tenant-b.com",
     "-y"],
    capture_output=True,
    text=True
)
print(result.stdout or result.stderr)

In [None]:
# Try to access API with deactivated user's key - should return 401
response = requests.get(
    f"{API_BASE_URL}/values",
    headers={"X-API-Key": api_key_b}
)
print(f"Request with deactivated user's API key:")
print(f"  Status: {response.status_code}")
print(f"  Response: {response.json()}")

In [None]:
# Reactivate User B
result = subprocess.run(
    ["timedb", "users", "activate", 
     "--dsn", DATABASE_URL, 
     "--email", "bob@tenant-b.com"],
    capture_output=True,
    text=True
)
print(result.stdout or result.stderr)

# Verify access is restored
response = requests.get(
    f"{API_BASE_URL}/values",
    headers={"X-API-Key": api_key_b}
)
print(f"\nRequest after reactivation:")
print(f"  Status: {response.status_code}")

## Summary

This notebook demonstrated TimeDB's multi-tenant authentication system:

### Key Concepts:

1. **Users Table**: Created with `--with-users` flag on `timedb create tables`

2. **User Management CLI Commands**:
   - `timedb users create --tenant-id <uuid> --email <email>` - Create user with API key
   - `timedb users list` - List all users
   - `timedb users deactivate --email <email>` - Revoke API access
   - `timedb users activate --email <email>` - Restore API access
   - `timedb users regenerate-key --email <email>` - Generate new API key

3. **API Authentication**:
   - Use `X-API-Key` header with all requests
   - When users_table exists, authentication is **required**
   - Invalid or missing API keys return 401 Unauthorized

4. **Tenant Isolation**:
   - Each user's API key is tied to a tenant_id
   - Users can only read/write data for their own tenant
   - Data isolation is enforced at the application level

### Security Notes:
- API keys are generated securely using `secrets.token_urlsafe(32)`
- API keys are only displayed once on creation/regeneration
- Deactivated users cannot authenticate until reactivated
- Consider implementing key rotation policies for production use