We designed Neurons so that they can be called differently from a back-end or front-end service. Calling a Neuron directly from your front-end application helps you build AI features quickly, without having to manage any infrastructure, and without exposing your AI provider API keys.
To ensure a Neuron can be called from a front-end service, the CORS configuration of Neurons endpoints in Prompteus are very permissive. This is intentional, and is not a security risk.

Access Control Settings

The Access Control section of the Neuron Settings page allows you to control who can access your Neuron.

Public Access

Public Access settings in the Neuron Settings page

Enabling public access allows anyone to call your Neuron by using the Neuron’s API URL. Public access is exclusive of any other access control settings.
We just want to make this extremely clear: Public access means anyone with the URL can call your Neuron. Better safe than sorry!

Referer Restrictions

Referer Restrictions settings in the Neuron Settings page

Referer restrictions allow you to restrict access to your Neuron to requests from specific domains. This is useful if you want to allow access to your Neuron from a specific front-end application, while blocking access from other domains. This has no effect on requests made directly to the Neuron’s API URL (e.g. from a back-end service). This is useful if you want your Neuron to be called from a specific front-end application, while blocking access from other domains. The Neuron will check the Referer header of all requests, and block any requests that do not originate from a domain that is allowed.
Referer Restriction is a minimal security measure. It is not a substitute for proper authentication and authorization. We recommend using JWT Authentication for production applications where you need to verify the identity of your users.
We recommend using Referer Restriction in combination with Rate Limiting to prevent abuse.

IP Restrictions

IP Restrictions settings in the Neuron Settings page

IP restrictions allow you to restrict access to your Neuron to requests from specific IP addresses. We currently only support IPv4 addresses, but are working on supporting IPv6 in the near future. If you need IPv6 support, please contact us. Any call to a Neuron that does not originate from an IP address that is allowed will be blocked.

API Key Authentication

API Key

API key authentication allows you to authenticate requests to your Neuron using your Prompteus API key. This should only be used in a back-end application, and not from a front-end application — be careful not to expose your API key in a client-side application. You can manage your API keys in the API Keys section of the Settings page. There is no limit to the number of API keys you can create, and you can revoke them at any time. For detailed examples of how to use API keys in your requests, including error handling and best practices, see our API documentation. When executing a Neuron, the API key should be passed in the Authorization header of the request, as a Bearer token. 
curl -X POST https://run.prompteus.com/<organization-slug>/<neuron-slug> \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <api-key>" \
  -d '{"input": "What is the meaning of life?"}'
Replace <organization-slug> with your organization’s slug, which you can manage in the Team Settings.

JWT Authentication

JWT authentication allows you to authenticate requests to your Neuron using a JSON Web Token (JWT). This is useful if you want to authenticate requests to your Neuron from a specific front-end application.
A good introduction to JWTs can be found on the jwt.io website.
For complete examples of JWT authentication, including error handling and TypeScript SDK usage, see our API documentation. A JWT can be validated using either a Shared Secret, or a JWKS endpoint.

JWT Authentication using a Shared Secret

When using the Shared Secret validation method, the JWT must be signed with the same secret that you provide in the JWT Secret field. The secret should be a strong, random string that is kept secure.

JWT Authentication using a JWKS Endpoint

When using the JWKS endpoint validation method, the JWT must be signed with a key that is returned by the JWKS endpoint. You can specify multiple JWKS endpoints, and the Neuron will try each one in order until it finds a valid key. When executing a Neuron, the JWT should be passed in the Authorization header of the request, as a Bearer token. 
curl -X POST https://run.prompteus.com/<organization-slug>/<neuron-slug> \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <jwt>" \
  -d '{"input": "What is the meaning of life?"}'

Username Property Path

The Username Property Path is the path to the username property in the JWT. This is used to set the username of the request in the Neuron. For example, it could be sub or email. The username is currently used in two ways:
  1. When using the Rate Limiting feature, the username is useful to limit the rate of requests from a specific user.
  2. When reading Neuron logs, the username is used to identify which user made the request.
In a future release, additional JWT properties will be supported and passed to the Neuron context, allowing you to run custom logic in your Neuron based on the user’s identity. Let us know if you have a specific use case in mind by contacting us.