Manage API Keys
API keys enable your Service Account to authenticate with the Enterprise API. Permissions are applied to the underlying Service Account. As Roles are applied to the Service Account, the Service Account's session token does not need to be refreshed in order to benefit from the role changes made.
Tech Notes
- An API key itself has no permission to your resources. It can only be used against the Enterprise API to obtain a session JSON Web Token (JWT), which can then be used to access all Enterprise API endpoints.
- Up to 5 API keys are allowed per Service Account
- Expiration can be up to 1 year
- Keys can be disabled at any time
Security
API keys authorize your Service Account to obtain a temporary Bearer token. These session tokens
have a minimum duration of 900 seconds, and a maximum of 86400 (24 hours). This token itself
is divorced from the underlying permissions, affording you an additional mechanism to reduce
impact in the event of leaked credentials.
For such cases where security is compromised, service accounts support various approaches:
- Rotating credentials
- Create a new API key
- Rotate the exposed key from your deployed environments
- Disable, or delete, the old key
- Reduce negative impact
- Update the roles to reduce excessive access until further action can be taken
- Create and deploy a parallel Service Account
- Create a new Service Account
- Assign Role-based access
- Create a new API key
- Deploy API key into your environments