When you execute an Actor on Apify, the Actor, by default, gets full access to your account via the Apify API. This guide describes how to execute arbitrary Actors with restricted access, i.e., sandbox the Actor.

Use cases

You might need this when:

• You don’t control which Actors are executed through your account. For example, when you want to let your users select and run arbitrary Actors using your API token without them having to have their own Apify Account.
• You want to run Arbitrary Actors from the Apify Store, even those developed by vendors you don’t know and/or trust.

You might not need this when:

• You want to run only a small, pre-selected set of Actors developed by trusted vendors, such as Apify itself.

This Actor is maintained by Apify itself, and can be fully trusted.

Guide

Tl;dr

1. Disable anonymous read access to account resources.
2. Create a scoped API token that restricts access to Actors it runs
3. Execute the Actor using the API token

Disable anonymous read access to account resources

By default, some account resources (typically storages such as Datasets or Key-value stores) can be accessed anonymously without a valid token, purely using their impossible-to-guess ID. Therefore, the called Actors could use this special permission to access storages from Actors runs of other users.

To prevent this, you’ll need to reach out to your Apify’s point of contact to disable the anonymous read access on your account. Currently, we don’t allow users to make this change themselves.

<aside> ⚠️

If you have integrations that rely on anonymous access, they will obviously break. Make sure that you pass an API token whenever you read data from storages externally.

</aside>

To access the storages to read results of Actor runs of your users, you’ll then need to create an additional API token (other than the API token used for invoicing the runs).

We understand this is bit complicated to set up, and we are working on a new Actor permissions system to make this easy to use.

Create a scoped API token