Authentication
space-safety.starlink.com uses mTLS for client authentication.
Certificate Generation
In your initial onboarding email from SpaceX, you were instructed to generate a secret key and a certificate signing request (CSR) with a command like (with CN, O, OU set to real values):
- Linux
- Windows
$ openssl req -new -newkey ec:<(openssl ecparam -name secp384r1) -nodes -keyout client.key -sha384 -out client.csr -subj "/CN=funspacecorp/O=Fun Space Corp/OU=Operations"
> openssl ecparam -name secp384r1 -out secp384r1.pem
> openssl req -new -newkey ec:secp384r1.pem -nodes -keyout client.key -sha384 -out client.csr -subj "/CN=funspacecorp/O=Fun Space Corp/OU=Operations"
This command generates:
client.key: Your secret key. Don't share this with anyone, and consult your internal security/IT team if you have questions about handling private key material.client.csr: Your CSR. Send to SpaceX so we can sign it for either our production or staging environments.
The CN, or "Common Name", is associated with your account. The O and OU fields are metadata, and are informational only.
After sending the CSR to SpaceX, you will receive a client.crt file.
Browser certs
The examples in the Quick-Start Guide should be enough to get you started using the API programmatically, but the Swagger docs can be useful for interacting with the API in your browser.
You can use the following command to bundle your key and certificate into a single .p12 file compatible with most modern web browsers:
$ openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -certfile ca.crt
For example, on Google Chrome, navigate to "Privacy and Security" → "Security" → "Manage Device Certificates", which will direct you to a location to place the file.
Rate Limiting
APIs may return HTTP 503 responses if they exceed API rate limits.
Our goal is that our rate limits provide no practical impediment to operators using the screening system. Please contact SpaceX if rate limiting is hampering your operations.
Authentication and Access Controls
Every operator is associated with one or more keys (certificates), and each key is associated with an array of permissions, which allow the operator to take actions in the system:
| Permission name | Description |
|---|---|
trajectory:upload | Allows operators to upload trajectories for their objects via the POST /api/v1/trajectory endpoint |
trajectory:hypothetical | A subset of the trajectory:upload permission allowing operators to only submit hypothetical trajectories to the system. |
object:manage | Allows operators to use the POST /api/v1/object or PUT /api/v1/object endpoints to create/modify objects associated with their account. |
An operator can be provisioned multiple keys with different sets of permissions (i.e., one key with the trajectory:upload permissions, as well as a "read-only" key) to manage access controls within their organization.
You may receive a HTTP 401 (Unauthorized) response if the certificate provided does not have the required permissions to execute a request.