Ever wondered how to keep your API keys safe and sound while you build cool stuff? Dive deep to learn how to protect and handle your API keys from start to finish.
The importance of API key management
Kontent.ai provides a secure and reliable API key management system that allows you to create and manage your API keys. This includes making sure the API key system is protected against unauthorized access, regularly monitoring and logging API key usage, and providing tools to revoke or regenerate keys as needed.Effective API key management is critical for security, efficiency, scalability, and compliance in modern computer systems. These are the main pillars supported by proper API key management.
The API key lifecycle
When using the Kontent.ai APIs and their API keys, you should keep in mind their lifecycles to ensure the APIs and API keys are used correctly. Or not used at all.The lifecycle of an API, such as Delivery API and Management API, is simple. You activate the API when you need it and deactivate the API when you no longer need it. That’s it.While an API is active, you need to manage API keys throughout their own lifecycle. API key lifecycle consists of four phases: creation, distribution, rotation, and expiration. You can have multiple API keys per API.Let’s go through each of these phases.
1. Activate an API
Delivery API and Delivery Preview API are available for all projects. This means you can fetch published content and preview unpublished content without manually activating the APIs.Keep in mind that your published content is publicly available by default. If you work with sensitive content, we recommend enabling secure access for Delivery API.Activating Management API and Delivery API’s secure access is reserved for project managers.
2. Create an API key
When creating API keys, you need to make decisions such as:
When should the API key expire?
What permissions does the API key need?
Who needs access to the API key?
Choose the right expiration date
Does your organization have an internal cryptography policy? If it does, the API key expiration should follow the requirements specified in the policy.
Is the API key going to be used by a temporary third party? If it is, we recommend setting the API key expiration date to the date the contract with the third party ends. Avoid letting a third party access your data after a terminated contract.
Do you have increased requirements on availability? Set the expiration to occur during business hours.
Configure appropriate API key permissions
Always keep in mind how the API key is going to be used. Limit the API key to the resources needed for the job. This means specifying the necessary permissions and access to specific environments.
Delivery API keys provide access to preview content, retrieve published content, or both. More often than not, you’ll want to separate the two use cases.
Management API keys provide access to resources based on how the API keys are set up. For example, the API key can allow content model changes or only read-only access to content items or assets.
Share the API key with specific users
Consider which users in your project need access to the API key and share it with them. In such a setup, they can view the API keys on their own, but they cannot manage them.
3. Distribute the API key
For Delivery API keys and Management API keys, project managers can choose to share the API with other users. This way, you can quickly see who has access to the API key and easily determine if the API key needs to be rotated.When the right users have access to the API key, they can copy the API key and use it to make API requests.
4. Rotate the API key
API key rotation means replacing an existing API key with a new one that serves the same purpose. API key rotation helps ensure that only authorized users or applications have access to your data by invalidating the API keys that are no longer needed.When do you regenerate and rotate your API keys? For example, when:
You suspect unauthorized API key usage after a user leaves your company. In such cases, switch to a new API key in your apps and regenerate your existing API key.
Users are removed from your project’s environment or subscription. Depending on the user’s access level, you might want to regenerate the shared Delivery API keys.
You receive a notification about an upcoming expiration of your API key.
Regular API key rotation is crucial for security because it reduces the risk of API key theft or compromise. Even if an API key is stolen or compromised, it will be only valid for a limited time, reducing the window of opportunity for an attacker.
5. Expire the API key
API key expiration is the final stage of every API key. API keys have a finite lifespan, after which they become invalid and unusable for authentication and authorization.API key expiration prevents unauthorized access by ensuring that API keys are not valid indefinitely. Before the API key expires, we’ll send an email notification to the users who can manage the API key.
API key management is often required for compliance with regulations and industry standards, such as NIST, PCI DSS, and GDPR.Properly managing your API keys ensures that API key usage is monitored and audited, enabling compliance with these regulations and standards.
API keys can improve the efficiency of authentication and authorization by allowing users to sign in once and then access multiple resources without needing to re-enter their credentials.Effective API key management ensures that API keys are generated and distributed efficiently, reducing the workload on the authentication and authorization systems.
API key management ensures that API keys can be distributed and validated across multiple systems, enabling seamless and scalable access to resources.
API keys are used to authenticate and authorize access to protected data and content, such as your content items, assets, and project settings.By managing your API keys, you ensure that only authorized users or apps can access these resources, preventing unauthorized access and data breaches.
Keep in mind that you’re responsible for properly securing and managing your own API keys.For example, this can include ensuring that the API keys are stored securely and not shared or exposed to unauthorized users, regularly rotating API keys to mitigate the risk of compromised keys, and monitoring API key usage for any suspicious activity.
Quick tips to keep your API keys safe
Use the API keys via environment variables in your code, not directly.
Implement pre-commit and pre-push hooks in your version control system to scan for accidental inclusion of API keys and secrets in your code.
Tip: Make sure to carefully choose the frequency of API key rotation and communicate it to your users and maintainers of your apps to prevent unexpected access issues.