Handling API Key expiration

soumik-das · 07-31-2018 06:21 AM

We are starting our apigee implementation and one of the questions we are trying to answer is how do we handle the expiration of API keys. We will have external applications using our APIs and we would be providing them with API keys to consume our APIs. As par security mandate we need to have an expiration schedule of 1 year. We are trying to understand how we can automatically notify the consumer/admin 90 days before the key expires so that we can provision new key and ensure business continuity.

dchiesa1

Ahh, yes.

In Apigee Edge it is possible to set an expiry on each key (or credential), to support rotation. But Apigee Edge does not include a facility for automatically notifying a developer that the key will expire "soon".

I have seen customers build their own tools or systems for this purpose.

Basically a cron job that runs once per week, and does this:

for each developer, query all the apps in the system
for each app, query all the credentials
for each credential, examine the expiry date.
if "expires soon" (you define this, maybe it's 30 days), and the notification count (* more on this in a bit) is less than X (maybe 5), then add that key to the "notify list" for developer X
when done with all apps for the developer, if any keys appear on the "notify list" then send an email to the developer with the subject "Key expiry warning" and text "some of your keys expire soon: A, B, C,... Please visit the developer portal at https://x.y.z to get renewed keys."
for each key in the notify list, increment the notification count. The count must be stored persistently, somewhere. You could use a custom attribute attached to the app itself to store the count. Or you could store the counts in a simple text file managed by the cron job.