Security of your types

I was wondering if there is a way to place my {baseUrl}/types/{lang} behind some security. At this point my entire API layer is open for the entire world to see.

Is there a preferred way to add a security layer over the API types?

These are your public metadata API endpoint for your public services that clients use to discover how to call your Services just as they are in your metadata pages or any other metadata Services, e.g. Open API, Swagger, gRPC, etc.

See docs for Restricting Services for different ways to restrict access to your Services.

Or the Add ServiceStack Reference docs for how to remove the Native Types Feature plugin entirely, inc. hiding Services from metadata features or removing & Ignoring specific Types (warning may cause compilation errors).

As the metadata services aren’t needed at runtime you may just want to disable them from running in Release builds:

#if !DEBUG
Plugins.RemoveAll(x => x is NativeTypesFeature);

This will of course prevent external clients from being able to generate typed APIs against your remote ServiceStack instance.

Thanks for your response.

It seems to me, by reading your answer, that it is not possible to provide access for the extenal clients to the meta data by using credentials right?

I especially wonder if I can do this to provide access to parts of my API depending on the credentials.

Credentials are populated at runtime to call authenticated services, all client tools that generate the Typed DTOs are download anonymously at client development time. You can remove the plugin for release builds as shown above to prevent them from being available in your production site.

If you wanted to control who had access to them you could do something like run a CI task against a CI dev build that generates DTOs for all languages, e.g:

$ x csharp https://localhost:5001
$ x typescript https://localhost:5001
$ x dart https://localhost:5001
$ x java https://localhost:5001
$ x kotlin https://localhost:5001
$ x swift https://localhost:5001
$ x vbnet https://localhost:5001
$ x fsharp https://localhost:5001

Then distribute the generated DTOs to whoever you want to have access to them.

You could force authentication for Add ServiceStack Reference requests by adding a custom Global Request Filter that ensures authenticated requests, e.g:

GlobalRequestFilters.Add((req, res, dto) => {
    if (req.Dto is NativeTypesBase && !req.IsAuthenticated())
        res.StatusCode = (int) HttpStatusCode.Forbidden;

But then you couldn’t use any of the existing client tools to generate the DTOs and clients would need to download them directly from the URL from an authenticated session.