Coming Soon: API key management

We have a new feature on the way, which is the ability to manage your API keys as an Automox administrator. Currently each console user has just the one API key that can’t be changed or expired.

We’re looking at launching this in Q3 2020 - stay tuned for updated release info as we get closer to release.

Here’s how that feature will work:

The API Key Management in the Settings section of the console is a feature that enables a full administrator to disable, delete, re-enable, and generate new API Keys associated with their organization’s account through the Settings page. All other roles can only view and manage the API Keys they have created with their logins. API keys can be managed either through the console or via the API.

The API key value is obfuscated in the console interface. When a new API is created, the user can associate an optional expiration date with that key. If no expiration date is associated, the default value is no expiration date. Each organization can associate up to 10 API Keys per user. Disabled keys count towards the 10 key limit.

Please let us know if you have any questions or feedback about this upcoming features.

9 Likes

We here internally are excited to start being able to get these security enhancements out to everyone. API keys have been a concern for a while, and we’re happy that you’ll soon be able to revoke and regenerate keys.

This feature is now live. Stay tuned for updated documentation. I’ll post the links to the new documentation for this feature once that’s available.

2 Likes

Updated documentation:
https://docs.automox.com/home/automox-settings/accessing-your-api-keys

We’re beginning to work through what our expected process will be in order to accomplish rotating API keys for all of our users across all of our Organizations on a recurring basis. (hundreds of users so will have to be automated)

At a high level, this process workflow would be something along the lines of pulling all user accounts/API keys from all of our Orgs, deleting all of the keys associated with those accounts, and then updating the accounts with a new API key. Has anybody already tried to accomplish something similar?

A couple other questions:

  • Does deleting/creating keys for a user trigger any kind of user interaction or notification? (similar to add/removing new accounts generating an email notification; it doesn’t appear so from our initial testing)
  • Does the Update API key function only enable/disable the account? e.g. for this process we would need to use the Delete and then Create APIs, not the Update API.
  1. No - that was on the list of features but it didn’t make it into the initial release of the feature but it might be added in the future
  2. For now, yes. The update endpoint only supports disabling/re-enabling keys. They would want to use the list all, delete, create new approach.
1 Like