Security
API Authentication¶
All API calls are performed over a https protected, secure channel. Every API call is authenticated and access is authorized based on the user's role. An immutable audit trail is maintained centrally for all actions performed via APIs.
sequenceDiagram
participant API Caller
participant Rafay Platform
Note right of API Caller: https
rect rgb(191, 223, 255)
API Caller->>Rafay Platform: API Request (API Key)
Note right of Rafay Platform: AuthN, AuthZ & Audit
Rafay Platform-->>API Caller: Response
end
API Keys Config Settings¶
Config Settings for API Keys are aimed at enabling customers to implement security related best practices for management of API keys within the organization. The Org Admin has the ability to establish a default duration for expiration. Additionally, the Org Admin can create users and define the expiration timeframe. Expiry durations can be specified in hours, with a minimum of 1 hour.
Note: In the event of receiving an exception request, the org admin has the option to either generate a key on behalf of the user or modify the expiration period specifically for that user.
Users also have the option to set an expiry duration when creating an API key. However, this expiry duration cannot exceed the duration set in the org-wide setting or the expiry duration specifically configured for the user. If the user does not specify an expiry duration, it will default to the organization-wide setting or the user-specific configuration (whichever is a higher number).
Also, Org Admins will have the capability to create API keys for themselves or on behalf of other users. They will be able to configure an expiry interval that can override other configurations, allowing for durations that exceed the limits set for the organization or individual users. To provide visibility into the expiry status of API keys, details regarding the expiry interval is available as shown in the below image. This will help users and administrators track the expiration dates of API keys more effectively.
Email notifications will be sent to users regarding imminent expirations, 7 days and 1 day prior to the expiry, as appropriate. If an expired API key is used, the error message will explicitly indicate that the authentication failed due to the key's expiration. API keys that have been expired for over 90 days will be automatically deleted. API keys are not auto-generated for new user accounts. They are generated on demand by the user and are managed via the Console.
Best Practices¶
- Please make sure to copy the API key (on a new API key creation) as you won't be able to view this again
- For machine users, it is strongly recommended to use users that are only allowed programmatic access
- Securely store your secret access keys. Remember that anyone who gets access to your "access key" has the same level of access to your resources that you do
- If you have lost your secret access key, revoke it and generate a new access key