This article documents the process that Carriers can use to implement an API Key Rotation programmatically and/or use these steps to rotate the keys manually.
Why?
Security Best Practices, like API Key rotation, ensure clients align with Industry Standards. Rotating API Keys reduces the risk of API Keys being compromised through a plethora of exposure points such as: Contractors, Scripts, Multiple custody of internal teams, etc.
Best Practice
The most common Industry Standard for API Key Rotation is every 180 days.
How?
Hi Marley 'API Key Actions' APIs enable carriers to programmatically rotate their API keys.
Our API Key Actions APIs consist of:
- GET API Key
- https://{apiBaseUrl}/api/api-key
Headers:
x-api-key: {hiMarleyApiKey}No Body
2. POST API Key
- https://{apiBaseUrl}/api/api-key
Headers:
x-api-key: {hiMarleyApiKey}Body:
{
"NOTES": "<string>" //notes can be added to describe the key;i.e.-what it is used for
}
3. Delete API Key
- https://{apiBaseUrl}/api/api-key
Headers:
x-api-key: {hiMarleyApiKey}Body:
{
"API_KEY": "<string>"
}Process
If your carrier would like to implement API Key rotation, it is important to communicate & structure this initiative internally at your Organization to ensure:
- Key stakeholders are in the loop.
- Systems that utilize the Key are programmatically notified of the rotation date & fed the new key (as the old one would be deleted/no longer active).
- We would recommend a crossover period where both keys are active before the deletion of the older key
- Management of the API Key rotation process to test, monitor, and provide updates if there is an issue with the process.