API keys are a way for a third-party product to authenticate with TRYTN in a secure, safe way. API keys allow authentication similar to a password and as such, API keys should be protected just like you would a password. 

This article covers the following topics:

• Creating an API Key
• Retrieving an API Key
• Revoking an API Key

Creating an API Key

Creating an API key is simple. Once logged in, navigate to Settings > Integrations > API Keys. From there you will see a list of any existing API keys that are created. Select Add at the top and you are presented with a simple form.

The Internal Label field is just that, an internal name or label for this API key. It's suggested to name each API key you create something that makes it obvious what this API key is used for. It is a best practice to create an API key for each integration you have. This allows for easy revoking or rotating of keys for a specific platform. 

Retrieving an API Key

Once you have created an API key you have the ability to view the actual key. Find the key you wish to view in the list of available API keys. Expanding the API key name you are presented with additional information about the API key.

In the above example you will see a secret key field, a created at field, and a created by field. Since API keys are like passwords this is considered sensitive information and is behind an additional check to ensure this is not seen by others. Select Protected value. Click to show value. below to temporarily see the API secret key. The key will be alphanumeric and be prefixed with either sk_test_ or sk_live_ depending on if your business is in test mode or not. It is important to utilize live API keys in your production environment and test API keys in any staging or development environments. 

Revoking an API Key

There are times when you need to revoke access of a third-party application to the TRYTN system. In this case the best course of action once your integration has been turned off is to revoke the API key. You can do this in the API section. Find the API key you wish to revoke and select Actions > Delete. Note this will break any existing live integration.

Rotating API Keys

Rotating API keys is a concept of switching the API key that is in use for an integration on a periodic schedule. This can help prevent malicious actors from using an existing API key that was leaked during a breach. It is up to your DevSecOps team to determine the appropriate rotation schedule, if any.

To rotate a key follow the instructions to create a new API key. Switch out the existing key in your code base or the third-party application using the key. Once confirmed the switch has been completed simply follow the instructions for revoking the former key.