Cloudant provides an API for creating API keys by issuing a POST to /_api/v2/api_keys
https://docs.cloudant.com/authorization.html#creating-api-keys
However, I do not see any documentation which states that an API Key can be deleted, so my assumption is that instead, you just remove the key from the authorization list of all your databases and stop using it.
Is that the correct approach?
You can remove an API key from the dashboard by going to Databases -> Permissions. Hover over the API key you would like to delete and click the "X" that appears once you are hovered over the API key.
To remove an API key using the Cloudant API, you will need to issue an HTTP PUT to the _security API endpoint providing an updated list of usernames that does not include the API key you would like to delete. See the API documentation on modifying permissions.
While the other answer is useful on its own, it doesn't actually answer the question, which is specifically about the possibility to delete an API key and not just remove it from the authorization list.
From the documentation:
By removing the API key from the list of users that have access permissions, the effect is to delete the API key.
So it does seem that there's no way to completely delete an API key, and removing it is indeed the right approach. Since an API key without any permissions can't do anything, it doesn't really matter.
Related
Read thru a lot of posts and articles on how people handle api keys. I think some made it secure to get api keys via Node Server, some store it at .env file.
Sample posts I've read
https://www.rockyourcode.com/secret-keys-in-react/
https://github.com/react-boilerplate/react-boilerplate/issues/1744#issuecomment-303112505
My situation:
Currently I'm storing my API KEYs in .env files, because I'm uglifying my code in React. Those files are unreadable even via Inspect Element, but now all my api keys are exposed in readable format.
My use case:
My website don't require sign in, hence no authentication needed. Basically it's API KEY for firebase analytics. I don't think it make sense to create a Node Server to get the api key here? (And again, I don't need authentication)
How can I better handle the API KEYs?
I don't think exposing the Firebase key is a security threat as per this article: https://medium.com/#paulbreslin/is-it-safe-to-expose-your-firebase-api-key-to-the-public-7e5bd01e637b
GCP usually allows you to restrict api keys by domain. That maybe one way to secure your config and prevent other people from spoofing requests as your project.
In any other situation however, I would not expose api keys in client-side code and have an intermediate server or a cloud-function that uses it instead.
I'm working on a react project in team. We are using a few third party services and these services require api keys. Right now We are storing these key right in the code. As I know It's not good and dangerous.
I tried to find some recommendations in that regard. All ways to solve this problem I see now are:
create .env file and store all key there (but in this case I need to share my keys with other members of the team)
or move all keys to server and always make a calls to the server in order to get required information (but in this case I have no idea how to work with external components which are require keys, for example google maps/places/drawing and so on).
Which way are you using in your team and why? I would like to understand what's the best solution for me.
Thanks!
You cannot really hide an API key used for a client-side API such as JavaScript API and its services. The right way to secure your API key is to add API key restrictions.
Check out Google's guide on API Key Best Practices. You may also want to have a look at this answer.
Hope this helps!
I am planning to use AzureSearch, and have the exposed API get invoked from a client application. I expect that the indexer and fields returned from Azure Search, to change over time.
I wanted to check if the Azuresearch API access key might change- and what steps we need to take to ensure that this is static?
This is critical, as distributing any new key to client devices could be challenging
Azure Search indexers won't change query keys, even if you reset it. The only API that can remove query keys is Query Keys - Delete
On the API console, I only see the API key for self-use. But the most of the documentation makes a reference to a secret key either while forming the CB-ACCESS-SIGN or initializing an auth object.
Should I instead create an OAuth application even if it's for self-use? Appreciate any help.
Finally found out that Coinbase only shows you the secret once during the key creation. If you don't save it, then you would have to delete the existing one and recreate it, which is what I did to solve this issue.
I wonder how we can renew the Amazon merchant API key.
Is there an API call for this, or what is the procedure?
I googled a great amount but only find the procedure to request the first key, which does not work anymore if you are already using the API
We have the old data and are using them but it was compromised, so we need at least a new secret key.
Is this even possible?
There is a forum message which seems to answer it https://sellercentral.amazon.com/forums/message.jspa?messageID=3015879
"Yes, you can change your MWS secret key. Whenever you want to do that we will delete your MWS secret key from our end, and then you can sign up for MWS again to get new secret key through this link
https://developer.amazonservices.com/index.html/182-5557423-3858158 "
There is now no way to reset your own keys (that I can see). Instead you need to contact MWS support and ask them to do it for you.
This can be done via:
https://sellercentral.amazon.com/gp/mws/contactus.html
https://sellercentral-europe.amazon.com/gp/mws/contactus.html
If you put something like "URGENT - MWS Keys Compromised" in the subject line then they should respond quickly!