VRN Reference examples - restricting to user / app key

[alexminza]

How to use VRN to restrict access to a specific user / app key?

Reference: https://github.com/vtexdocs/dev-portal-content/blob/main/docs/vtex-io/Reference/concepts/vtex-io-documentation-vrn.md

[alexminza]

For an integration with a partner we are working on we need to allow them to call a custom API endpoint developed by us in a custom VTEX IO app.

We need to be able to secure the API endpoint and allow only specific API keys to access it.
Current documentation does not describe such case and provides no examples.

https://developers.vtex.com/docs/guides/vtex-io-documentation-vrn

Looking at examples we could not make it with restricted access

• https://github.com/vtex-apps/fedex-shipping/blob/master/dotnet/service.json
• https://github.com/vtex-apps/io-documentation/blob/master/docs/en/Concepts/vrn.md

Fragment from the service.json file:

    "route-name": {
      "path": "/_v/route-name/:orderId",
      "public": true,
      "access": "authorized",
      "policies": [
        {
          "effect": "allow",
          "actions": [
            "get"
          ],
          "principals": [
            "vrn:vtex.vtex-id:*:*:*:user/vtexappkey-*",
            "vrn:vtex.vtex-id:*:{{account}}:*:user/vtexappkey-*"
          ]
        }
      ]
    },

[alexminza]

CC @carolinamenezes, @brunoamui