Welcome Tour
Site Checklist
Our Story




The authkey command is an important part of BoltWire's permission systems. It allows you to give a user permission to perform special actions in forms they do not otherwise have authorization to do. Here's how it works.


Suppose you do not want to give users general access to edit your site pages. You change the default value on site.auth.write to restrict write permissions to those in the editor group:

*: @editor

But now suppose you have a form which adds a log entry to a page when a user clicks some button--maybe to track users that view a page or access some download. The log command will fail because the user does not have write permission. Nor do we want to unlock the log page for general editing, to prevent users from going in and editing the log page using the edit action.

In other words, we want a way to create an exception for this specific form. Here's how you do it:

[command authkey button]
[command log '{id} clicked the button' page=log.button]

Now on site.auth.write you enable the special authorization like this:

log.button: @key_button

This authorizes any form with the "button" authkey to write to page log.button. Note the authkey line MUST appear before the log line or the form will fail.


Suppose I wanted to allow members to post comments to a page in a forum without being able to edit the page itself. The process is very similar. Simply add this line to your comment forum.

[command authkey comment]

If you want to limit commenting to members, wrap the entire comment form in [if login] and [if]. Or better still: [if login]comment form...[else]Login to commment...[if]

Next, add the following line to the site.auth.write page and they will be able to post:

forum*: @key_comment

Members will not be able to edit any forum pages, create new pages or do any other write functions--except make comments using your specially enabled comment form. If you want to let them make comments on your blog as well, add another line like the one above for your blog pages.

A Site Key

In some case you may want to make a generic site key which will work on any special form you want. Simply add a site.auth.write entry like the following:

*: @editor, @key_special

This authorizes any form with the "special" authkey to post to any page not restricted elsewhere. That is, if the two lines below are on site.auth.write, the authkey will not help should a user try and edit a code page. Neither will editor status, as the more specific authorization instruction overrides the more general instruction.

*: @editor, @key_special
code: @admin

For more information about permissions, including tips on how to set an authkey dynamically, see the security tutorial.


An authkey authorization only extends for the submission of the form and is immediately revoked afterwards. Authkeys can apply to any auth type, not just write permissions.